Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Credential Management
Abstract
Storing a username in plain text could result in a system compromise.
Explanation
Credential management issues occur when a username is accepted from a user or is stored in plain text in an application's configuration files or database.
Example: The following code reads a username from a web form and uses the username to connect to a database.
This code will run successfully, but anyone who has access to the table
Example: The following code reads a username from a web form and uses the username to connect to a database.
<cfquery name = "GetCredentials" dataSource = "master">
SELECT Username, Password
FROM Credentials
WHERE DataSource="users"
</cfquery>
...
<cfquery name = "GetSSNs" dataSource = "users"
username = "#Username#" password = "#Password#">
SELECT SSN
FROM Users
</cfquery>
...
This code will run successfully, but anyone who has access to the table
master
can read the value of Username
and Password
. Any devious employee with access to this information can use it to break into the system.desc.dataflow.cfml.credential_management