CWE-312 敏感数据的明文存储

Cleartext Storage of Sensitive Information

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

扩展描述

Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 311 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 311 cwe_View_ID: 1003 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 311 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 922 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 922 cwe_View_ID: 699

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Paradigm: {'cwe_Name': 'Mobile', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Confidentiality Read Application Data An attacker with access to the system could read sensitive information stored in cleartext.

示例代码

The following code excerpt stores a plaintext user account ID in a browser cookie.

bad Java

response.addCookie( new Cookie("userAccountID", acctID);

Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

This code writes a user's login information to a cookie so the user does not have to login again later.

bad PHP

function persistLogin($username, $password){
$data = array("username" => $username, "password"=> $password);
setcookie ("userdata", $data);
}

The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.

Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).

The following code attempts to establish a connection, read in a password, then store it to a buffer.

bad C

server.sin_family = AF_INET; hp = gethostbyname(argv[1]);
if (hp==NULL) error("Unknown host");
memcpy( (char )&server.sin_addr,(char )hp->h_addr,hp->h_length);
if (argc < 3) port = 80;
else port = (unsigned short)atoi(argv[3]);
server.sin_port = htons(port);
if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting");
...
while ((n=read(sock,buffer,BUFSIZE-1))!=-1) {

write(dfd,password_buffer,n);
...

While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors.

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in plaintext.

This Java example shows a properties file with a plaintext username / password pair.

bad Java


# Java Web App ResourceBundle properties file
...
webapp.ldap.username=secretUsername
webapp.ldap.password=secretPassword
...

The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in plaintext.

bad ASP.NET

...
<connectionStrings>
<add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" />
</connectionStrings>
...

Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information and avoid CWE-260 and CWE-13.

分析过的案例

标识 说明 链接
CVE-2009-2272 password and username stored in cleartext in a cookie https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2272
CVE-2009-1466 password stored in cleartext in a file with insecure permissions https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1466
CVE-2009-0152 chat program disables SSL in some circumstances even when the user says to use SSL. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0152
CVE-2009-1603 Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1603
CVE-2009-0964 storage of unencrypted passwords in a database https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0964
CVE-2008-6157 storage of unencrypted passwords in a database https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6157
CVE-2008-6828 product stores a password in cleartext in memory https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6828
CVE-2008-1567 storage of a secret key in cleartext in a temporary file https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1567
CVE-2008-0174 SCADA product uses HTTP Basic Authentication, which is not encrypted https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0174
CVE-2007-5778 login credentials stored unencrypted in a registry key https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5778
CVE-2001-1481 Plaintext credentials in world-readable file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1481
CVE-2005-1828 Password in cleartext in config file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1828
CVE-2005-2209 Password in cleartext in config file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2209
CVE-2002-1696 Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1696
CVE-2004-2397 Plaintext storage of private key and passphrase in log file when user imports the key. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2397
CVE-2002-1800 Admin password in plaintext in a cookie. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1800
CVE-2001-1537 Default configuration has cleartext usernames/passwords in cookie. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1537
CVE-2001-1536 Usernames/passwords in cleartext in cookies. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1536
CVE-2005-2160 Authentication information stored in cleartext in a cookie. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2160

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Plaintext Storage of Sensitive Information
Software Fault Patterns SFP23 Exposed Data

相关攻击模式

  • CAPEC-37

引用