CWE-555 J2EE误配置：在配置文件中明文存储口令

J2EE Misconfiguration: Plaintext Password in Configuration File

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The J2EE application stores a plaintext password in a configuration file.

扩展描述

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 522 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

可能的缓解方案

Architecture and Design

策略:

Do not hardwire passwords into your software.

Architecture and Design

策略:

Use industry standard libraries to encrypt passwords before storage in configuration files.

示例代码

例

Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.

bad Java