Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Credential Management
Abstract
Storing a username in plain text could result in a system compromise.
Explanation
Credential management issues occur when a username is accepted from a user or is stored in plain text in an application's configuration files or database.
Example: The following code reads a username from a web form and uses the username to connect to a database.
This code will run successfully, but anyone who has access to the table
Example: The following code reads a username from a web form and uses the username to connect to a database.
<cfquery name = "GetCredentials" dataSource = "master">
SELECT Username, Password
FROM Credentials
WHERE DataSource="users"
</cfquery>
...
<cfquery name = "GetSSNs" dataSource = "users"
username = "#Username#" password = "#Password#">
SELECT SSN
FROM Users
</cfquery>
...
This code will run successfully, but anyone who has access to the table
master can read the value of Username and Password. Any devious employee with access to this information can use it to break into the system.desc.dataflow.cfml.credential_management