DerScanner
Home / Vulnerability Database / PHP : Unsafe password management
PHP

PHP : Unsafe password management

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session ManagementA6-Sensitive Data Exposure
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP MASVS
V2: 2.2.(L1/L2/L1+R/L2+R)V8: 8.11.(L1+R/L2+R)
OWASP ASVS
Authentication
PCI DSS 4.0
6.2.48.3.28.6
HIPAA
§164.312 (a)(1)§164.312 (a)(2)(iv)
CWE
CWE-261CWE-1028CWE-1032

Overview

The application uses a password stored in plaintext in the configuration file. This can lead to the application data being compromised.

Developers often believe that the data stored in the configuration file is securely protected. This assumption simplifies the attacker’s job. Good password management guidelines require that a password never be stored in plaintext.

References

  1. OWASP Top 10 2013-A5-Security Misconfiguration
  2. OWASP Top 10 2013-A6-Sensitive Data Exposure
  3. OWASP Top 10 2017 A2-Broken Authentication
  4. OWASP Top 10 2017-A3-Sensitive Data Exposure
  5. CWE-261: Weak Encoding for Password
  6. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  7. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
MEDIUM

DerScanner Severity Score

Do you want to fix PHP : Unsafe password management in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt