Cleartext Storage of Sensitive InformationID: 312 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The application stores sensitive information in cleartext
within a resource that might be accessible to another control sphere, when the
information should be encrypted or otherwise protected.
Extended DescriptionBecause the information is stored in cleartext, attackers could
potentially read it.
Applicable PlatformsNone
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | An attacker with access to the system could read sensitive information
stored in cleartext. |
Detection MethodsNone
Potential MitigationsNone
Relationships
Related CWE | Type | View | Chain |
---|
CWE-312 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code attempts to establish a connection, read in a
password, then store it to a buffer. (Demonstrative Example Id DX-41)
- The following code excerpt stores a plaintext user account ID in a
browser cookie. (Demonstrative Example Id DX-44)
- The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but they are stored in
plaintext. (Demonstrative Example Id DX-43)
- This code writes a user's login information to a cookie so the user
does not have to login again later. (Demonstrative Example Id DX-40)
Observed Examples
- CVE-2009-2272 : password and username stored in cleartext in a cookie
- CVE-2009-1466 : password stored in cleartext in a file with insecure permissions
- CVE-2009-0152 : chat program disables SSL in some circumstances even when the user says to use SSL.
- CVE-2009-1603 : Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
- CVE-2009-0964 : storage of unencrypted passwords in a database
- CVE-2008-6157 : storage of unencrypted passwords in a database
- CVE-2008-6828 : product stores a password in cleartext in memory
- CVE-2008-1567 : storage of a secret key in cleartext in a temporary file
- CVE-2008-0174 : SCADA product uses HTTP Basic Authentication, which is not encrypted
- CVE-2007-5778 : login credentials stored unencrypted in a registry key
- CVE-2001-1481 : Plaintext credentials in world-readable file.
- CVE-2005-1828 : Password in cleartext in config file.
- CVE-2005-2209 : Password in cleartext in config file.
- CVE-2002-1696 : Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
- CVE-2004-2397 : Plaintext storage of private key and passphrase in log file when user imports the key.
- CVE-2002-1800 : Admin password in plaintext in a cookie.
- CVE-2001-1537 : Default configuration has cleartext usernames/passwords in cookie.
- CVE-2001-1536 : Usernames/passwords in cleartext in cookies.
- CVE-2005-2160 : Authentication information stored in cleartext in a cookie.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Plaintext Storage of Sensitive Information | |
References:
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 9, "Protecting Secret Data" Page
299'. Published on 2002.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Common Vulnerabilities of Encryption", Page
43.'. Published on 2006.