The product stores sensitive information in cleartext in a file, or on disk.
The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Threat Mapped score: 3.0
Industry: Finiancial
Threat priority: P2 - Serious (High)
CVE: CVE-2001-1481
Cleartext credentials in world-readable file.
CVE: CVE-2005-1828
Password in cleartext in config file.
CVE: CVE-2005-2209
Password in cleartext in config file.
CVE: CVE-2002-1696
Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
CVE: CVE-2004-2397
Cleartext storage of private key and passphrase in log file when user imports the key.
N/A
N/A
| Phase | Note |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
Intro: The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
Body: This Java example shows a properties file with a cleartext username / password pair.
# Java Web App ResourceBundle properties file ... webapp.ldap.username=secretUsername webapp.ldap.password=secretPassword ...