You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@poi.apache.org by bu...@apache.org on 2017/02/07 09:27:16 UTC

[Bug 60700] New: Security: hardcoded password in class org.apache.poi.poifs.crypt.CryptoFunctions

https://bz.apache.org/bugzilla/show_bug.cgi?id=60700

            Bug ID: 60700
           Summary: Security: hardcoded password in class
                    org.apache.poi.poifs.crypt.CryptoFunctions
           Product: POI
           Version: 3.15-FINAL
          Hardware: PC
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: POIFS
          Assignee: dev@poi.apache.org
          Reporter: linianemail@qq.com
  Target Milestone: ---

Use Fortify to scan POI 3.15 source code files, you will find a critical
security issue for hardcoded password. 

In method org.apache.poi.poifs.crypt.CryptoFunctions.hashPassword(String,
HashAlgorithm, byte[], int, boolean):

        // If no password was given, use the default
        if (password == null) {
            password = Decryptor.DEFAULT_PASSWORD;
        }

Passwords should never be hardcoded and should generally be obfuscated and
managed in an external source. Storing passwords in plaintext anywhere on the
system allows anyone with sufficient permissions to read and potentially misuse
the password.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

[Bug 60700] Security: hardcoded password in class org.apache.poi.poifs.crypt.CryptoFunctions

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60700

Nick Burch <ap...@gagravarr.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Nick Burch <ap...@gagravarr.org> ---
This is the default password for all Microsoft Office files, which can be found
in the official Microsoft documentation, or in about 5 seconds with a google
search. As such, this is not a security issue

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org