DerScanner
Home / Vulnerability Database / Config files : Empty password in configuration file
Config files

Config files : Empty password in configuration file

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session ManagementA6-Sensitive Data Exposure
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP ASVS
AuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthentication
PCI DSS 4.0
6.5.66.2.48.3.2
HIPAA
§164.312 (a)(1)
CWE
CWE-256CWE-257CWE-260CWE-522CWE-798CWE-1028CWE-1032
CWE/SANS Top 25 2011
CWE-798
CWE/SANS Top 25 2021
CWE-522CWE-798

Overview

Saving an empty plaintext password inside the configuration file can lead to a system vulnerability.

An empty password may lead to an application compromise.

Eliminating the security risks related to hardcoded empty passwords is extremely difficult. The information that a certain account accepts an empty password is accessible to at least every developer of the application. Moreover, after the application is installed, removing an empty password from its code is possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to know parameters of the special account. If these parameters become known to an attacker, system administrators will be forced either to neglect the safety, or to restrict the access to the application.

In case of a mobile application, security threat is even higher, considering the risk of the device loss.

References

  1. Password Plaintext Storage-OWASP
  2. CWE-798: Use of Hard-coded Credentials
  3. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  5. CWE-256: Unprotected Storage of Credentials
  6. CWE-260: Password in Configuration File
MEDIUM

DerScanner Severity Score

Do you want to fix Config files : Empty password in configuration file in your application?

See also

Config files

Config files : Text4Shell Vulnerability

Config files

Config files : Incorrect directory deletion

Config files

Config files : Code injection