cancel
Showing results for 
Search instead for 
Did you mean: 

Weak Cryptography used for Password (base64_encode)

0 Kudos

Weak Cryptography used for Password (base64_encode)

Password or key management issues occur when a password or key is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password or key management problem by obscuring the password or key with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password or key. Attacker can easily gain access to the system by breaking encryption.

 

Example : $user_pass = base64_encode($auth_username . ":" . $auth_password);

 

$user_pass = base64_encode traced in vendor\magento\framework\HTTP\Client\Curl.php (Line Number-173) and few other vendor files.

 

public function setCredentials($login, $pass) {

$val = base64_encode("{$login}:{$pass}");

$this->addHeader("Authorization", "Basic {$val}"); }

and in the file path : vendor\magento\framework\HTTP\Client\Socket.php (Line : 179)

 

public function setCredentials($login, $pass) {

$val = base64_encode("{$login}:{$pass}");

$this->addHeader("Authorization", "Basic {$val}"); }

 

CWE Code : CWE-261