CWE - CWE-260: Password in Configuration File (2.1)

Home > CWE List > CWE- Individual Dictionary Definition (2.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS
CWRAF
T-Shirt

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Coverage Claims Representation
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-260: Password in Configuration File

Password in Configuration File

Weakness ID: 260 (Weakness Variant)

Status: Incomplete

Description

Description Summary

The software stores a password in a configuration file that might be accessible to actors who do not know the password.

Extended Description

This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Access Control	Technical Impact: Gain privileges / assume identity

Demonstrative Examples

Example 1

Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.

(Bad Code)

Example Language: Java

webapp.ldap.username=secretUsername

webapp.ldap.password=secretPassword

Potential Mitigations

Avoid storing passwords in easily accessible locations.

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	254	Security Features	Development Concepts699 Seven Pernicious Kingdoms (primary)700
ChildOf	Weakness Base	522	Insufficiently Protected Credentials	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	632	Weaknesses that Affect Files or Directories	Resource-specific Weaknesses (primary)631
ParentOf	Weakness Variant	13	ASP.NET Misconfiguration: Password in Configuration File	Research Concepts (primary)1000
ParentOf	Weakness Variant	258	Empty Password in Configuration File	Development Concepts (primary)699 Research Concepts (primary)1000

Affected Resources

File/Directory

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
7 Pernicious Kingdoms			Password Management: Password in Configuration File

References

J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	7 Pernicious Kingdoms		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Sean Eidemiller	Cigital	External
2008-07-01	added/updated demonstrative examples
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Description
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences

Page Last Updated: September 12, 2011


	CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us