You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by bu...@apache.org on 2017/02/07 09:27:16 UTC
[Bug 60700] New: Security: hardcoded password in class
org.apache.poi.poifs.crypt.CryptoFunctions
https://bz.apache.org/bugzilla/show_bug.cgi?id=60700
Bug ID: 60700
Summary: Security: hardcoded password in class
org.apache.poi.poifs.crypt.CryptoFunctions
Product: POI
Version: 3.15-FINAL
Hardware: PC
OS: All
Status: NEW
Severity: critical
Priority: P2
Component: POIFS
Assignee: dev@poi.apache.org
Reporter: linianemail@qq.com
Target Milestone: ---
Use Fortify to scan POI 3.15 source code files, you will find a critical
security issue for hardcoded password.
In method org.apache.poi.poifs.crypt.CryptoFunctions.hashPassword(String,
HashAlgorithm, byte[], int, boolean):
// If no password was given, use the default
if (password == null) {
password = Decryptor.DEFAULT_PASSWORD;
}
Passwords should never be hardcoded and should generally be obfuscated and
managed in an external source. Storing passwords in plaintext anywhere on the
system allows anyone with sufficient permissions to read and potentially misuse
the password.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 60700] Security: hardcoded password in class
org.apache.poi.poifs.crypt.CryptoFunctions
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60700
Nick Burch <ap...@gagravarr.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Nick Burch <ap...@gagravarr.org> ---
This is the default password for all Microsoft Office files, which can be found
in the official Microsoft documentation, or in about 5 seconds with a google
search. As such, this is not a security issue
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org