J2EE Misconfiguration: Plaintext Password in Configuration File

Draft Variant

Structure: Simple

Description

A J2EE application insecurely stores an unprotected password within a configuration file.

Extended Description

This misconfiguration occurs when a developer writes a password directly into a configuration file (like XML or .properties) without any encryption. Since these files are often needed for the application to start, they are frequently readable by other processes or users on the system, exposing the credential in clear text. Anyone with access to this file, such as a system administrator, a different application on the same server, or an attacker who gains a foothold, can immediately read and use the password. This bypasses all security controls for the protected resource, such as a database, making it a trivial target for compromise.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Potential Mitigations 2

Phase: Architecture and Design

Do not hardwire passwords into your software.

Phase: Architecture and Design

Use industry standard libraries to encrypt passwords before storage in configuration files.

Demonstrative Examples 1

Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.

Code Example:Bad
Java
java

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

ChildOf:

Password in Configuration File (CWE-260)