用户工具

站点工具


cwe:cn:definition:312

CWE-312:敏感数据的明文存储

Description Summary

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Extended Description

Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Common Consequences

Scope Technical Impace Note
ConfidentialityRead application dataAn attacker with access to the system could read sensitive information stored in cleartext.

Demonstrative Examples

Example - 1

The following code excerpt stores a plaintext user account ID in a browser cookie.

response.addCookie( new Cookie("userAccountID", acctID); 

Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

2013/05/30 13:23

Example - 2

This code writes a user's login information to a cookie so the user does not have to login again later.

function persistLogin($username, $password){ 
$data = array("username" => $username, "password"=> $password); 
setcookie ("userdata", $data); 
 
} 

The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.

Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).

2013/05/30 13:23

Example - 3

The following code attempts to establish a connection, read in a password, then store it to a buffer.

server.sin_family = AF_INET; hp = gethostbyname(argv[1]); 
if (hp==NULL) error("Unknown host"); 
memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length); 
if (argc < 3) port = 80; 
else port = (unsigned short)atoi(argv[3]); 
server.sin_port = htons(port); 
if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting"); 
... 
while ((n=read(sock,buffer,BUFSIZE-1))!=-1) { 
 
write(dfd,password_buffer,n); 
... 
 
 

While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors.

2013/05/30 13:23

Example - 4

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in plaintext.

This Java example shows a properties file with a plaintext username / password pair.

# Java Web App ResourceBundle properties file 
... 
webapp.ldap.username=secretUsername 
webapp.ldap.password=secretPassword 
... 

The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in plaintext.

... 
<connectionStrings> 
<add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /> 
</connectionStrings> 
... 

Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information and avoid CWE-260 and CWE-13.

2013/05/30 13:23

Observed Examples

Reference Description
CVE-2009-2272password and username stored in cleartext in a cookie
CVE-2009-1466password stored in cleartext in a file with insecure permissions
CVE-2009-0152chat program disables SSL in some circumstances even when the user says to use SSL.
CVE-2009-1603Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
CVE-2009-0964storage of unencrypted passwords in a database
CVE-2008-6157storage of unencrypted passwords in a database
CVE-2008-6828product stores a password in cleartext in memory
CVE-2008-1567storage of a secret key in cleartext in a temporary file
CVE-2008-0174SCADA product uses HTTP Basic Authentication, which is not encrypted
CVE-2007-5778login credentials stored unencrypted in a registry key
CVE-2001-1481Plaintext credentials in world-readable file.
CVE-2005-1828Password in cleartext in config file.
CVE-2005-2209Password in cleartext in config file.
CVE-2002-1696Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
CVE-2004-2397Plaintext storage of private key and passphrase in log file when user imports the key.
CVE-2002-1800Admin password in plaintext in a cookie.
CVE-2001-1537Default configuration has cleartext usernames/passwords in cookie.
CVE-2001-1536Usernames/passwords in cleartext in cookies.
CVE-2005-2160Authentication information stored in cleartext in a cookie.
cwe/cn/definition/312.txt · 最后更改: 2014/09/04 14:32 (外部编辑)