DerScanner
Home / Vulnerability Database / Visual Basic 6 : Undocumented feature: special account
Visual Basic 6

Visual Basic 6 : Undocumented feature: special account

Classification

OWASP ASVS
Malicious Code
PCI DSS 4.0
6.5.6
CWE
CWE-506CWE-798CWE-862
CWE/SANS Top 25 2011
CWE-798CWE-862
CWE/SANS Top 25 2021
CWE-798CWE-862

Overview

The application compares the value of the variable which stores the authentication data with a hardcoded value. This special account may be a part of a backdoor.

The application developer could have used a special account (possibly with elevated privileges) for debugging and he/she left the corresponding code sections in the final version, thus, retaining the access to the application functionality. An attacker can decompile the application, extract the hardcoded strings which specify the special account, and get access to the application.

Constant parameters (logins, passwords, keys) must not be stored in the source code of the application.

References

  1. CWE-798: Use of Hard-coded Credentials
  2. Hardcoded and Embedded Credentials - beyondtrust.com
  3. CWE-506: Embedded Malicious Code
MEDIUM

DerScanner Severity Score

Do you want to fix Visual Basic 6 : Undocumented feature: special account in your application?

See also

Visual Basic 6

Visual Basic 6 : Weak seed of random number generator

Visual Basic 6

Visual Basic 6 : Error bad handling

Visual Basic 6

Visual Basic 6 : Unsafe padding