Example 1
This code changes a user's password.
(Bad Code)
Example
Language: PHP
$user = $_GET['user'];
$pass = $_GET['pass'];
$checkpass = $_GET['checkpass'];
if ($pass == $checkpass) {
SetUserPassword($user, $pass);
}
While the code confirms that the requesting user typed the same new
password twice, it does not confirm that the user requesting the
password change is the same user whose password will be changed. An
attacker can request a change of another user's password and gain
control of the victim's account.
Example 2
The following code reads a password from a properties file and uses
the password to connect to a database.
(Bad Code)
Example
Language: Java
...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String password = prop.getProperty("password");
DriverManager.getConnection(url, usr, password);
...
This code will run successfully, but anyone who has access to
config.properties can read the value of password. If a devious employee
has access to this information, they can use it to break into the
system.
Example 3
The following code reads a password from the registry and uses the
password to create a new network credential.
(Bad Code)
Example
Language: Java
...
String password = regKey.GetValue(passKey).toString();
NetworkCredential netCred = new
NetworkCredential(username,password,domain);
...
This code will run successfully, but anyone who has access to the
registry key used to store the password can read the value of password.
If a devious employee has access to this information, they can use it to
break into the system
Example 4
Both of these examples verify a password by comparing it to a stored
compressed version.
(Bad Code)
Example Languages: C and C++
int VerifyAdmin(char *password) {
if (strcmp(compress(password), compressed_password)) {
printf("Incorrect Password!\n");
return(0);
}
printf("Entering Diagnostic Mode...\n");
return(1);
}
(Bad Code)
Example
Language: Java
int VerifyAdmin(String password) {
if (passwd.Equals(compress(password), compressed_password))
{
}
//Diagnostic Mode
return(1);
}
Because a compression algorithm is used instead of a one way hashing
algorithm, an attacker can recover compressed passwords stored in the
database.
Example 5
The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but they are stored in
plaintext.
This Java example shows a properties file with a plaintext username /
password pair.
(Bad Code)
Example
Language: Java
# Java Web App ResourceBundle properties file
...
webapp.ldap.username=secretUsername
webapp.ldap.password=secretPassword
...
The following example shows a portion of a configuration file for an
ASP.Net application. This configuration file includes username and
password information for a connection to a database but the pair is
stored in plaintext.
(Bad Code)
Example
Language: ASP.NET
...
<connectionStrings>
<add name="ud_DEV" connectionString="connectDB=uDB;
uid=db2admin; pwd=password; dbalias=uDB;"
providerName="System.Data.Odbc" />
</connectionStrings>
...
Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information and avoid CWE-260 and CWE-13.
Description
