[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Cleartext Storage of Sensitive Information

ID: 312Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere, when the information should be encrypted or otherwise protected.

Extended Description

Because the information is stored in cleartext, attackers could potentially read it.

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 
Read application data
 
An attacker with access to the system could read sensitive information stored in cleartext.
 

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWETypeViewChain
CWE-312 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code attempts to establish a connection, read in a password, then store it to a buffer. (Demonstrative Example Id DX-41)
  2. The following code excerpt stores a plaintext user account ID in a browser cookie. (Demonstrative Example Id DX-44)
  3. The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in plaintext. (Demonstrative Example Id DX-43)
  4. This code writes a user's login information to a cookie so the user does not have to login again later. (Demonstrative Example Id DX-40)

Observed Examples

  1. CVE-2009-2272 : password and username stored in cleartext in a cookie
  2. CVE-2009-1466 : password stored in cleartext in a file with insecure permissions
  3. CVE-2009-0152 : chat program disables SSL in some circumstances even when the user says to use SSL.
  4. CVE-2009-1603 : Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
  5. CVE-2009-0964 : storage of unencrypted passwords in a database
  6. CVE-2008-6157 : storage of unencrypted passwords in a database
  7. CVE-2008-6828 : product stores a password in cleartext in memory
  8. CVE-2008-1567 : storage of a secret key in cleartext in a temporary file
  9. CVE-2008-0174 : SCADA product uses HTTP Basic Authentication, which is not encrypted
  10. CVE-2007-5778 : login credentials stored unencrypted in a registry key
  11. CVE-2001-1481 : Plaintext credentials in world-readable file.
  12. CVE-2005-1828 : Password in cleartext in config file.
  13. CVE-2005-2209 : Password in cleartext in config file.
  14. CVE-2002-1696 : Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
  15. CVE-2004-2397 : Plaintext storage of private key and passphrase in log file when user imports the key.
  16. CVE-2002-1800 : Admin password in plaintext in a cookie.
  17. CVE-2001-1537 : Default configuration has cleartext usernames/passwords in cookie.
  18. CVE-2001-1536 : Usernames/passwords in cleartext in cookies.
  19. CVE-2005-2160 : Authentication information stored in cleartext in a cookie.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Plaintext Storage of Sensitive Information
 
 

References:

  1. M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 9, "Protecting Secret Data" Page 299'. Published on 2002.
  2. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Common Vulnerabilities of Encryption", Page 43.'. Published on 2006.
CVE    243
CVE-2011-2916
CVE-2011-5247
CVE-2016-3192
CVE-2008-7272
...

© SecPod Technologies