J2EE Misconfiguration: Plaintext Password in Configuration File

Draft Variant

Structure: Simple

Description

The J2EE application stores a plaintext password in a configuration file.

Extended Description

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Potential Mitigations 2

Phase: Architecture and Design

Do not hardwire passwords into your software.

Phase: Architecture and Design

Use industry standard libraries to encrypt passwords before storage in configuration files.

Demonstrative Examples 1

Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.

Code Example:Bad
Java
java

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

ChildOf:

Password in Configuration File (CWE-260)