MooTools Hardcoded Credentials In URI Object
anugu-vijaykanth opened this issue · 1 comments
Stratos Version
4.4.0
Frontend Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- npm run start
- Other (please specify below)
Backend (Jet Stream) Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- Other (please specify below)
Expected behaviour
Rather than hard-coding the user name or password in the code itself, encrypt it, place it in a secure location, and make the code obtain the user name or password. You can place the user name and password in a hardened database server or in a secured file within a hardened file server.
Another technique is to prompt the user for login credentials and use that data for the user name and password values. Note that any user input should be validated and sanitized before being used in the code. This also applies to user credentials such as user names and passwords.
Make sure that when you prompt the user for their credentials that you pass these credentials to the server using SSL.
Actual behaviour
The URI.set() method contains a hard-coded user name or password. This is dangerous if an attacker or a malicious internal employee could gain access to this code and locate this user name or password in the code. The attacker could use it to break into the system with which that user name or password is associated.
Example Code
<script language="javascript"> ... secureURI.set('user', 'admin'); secureURI.set('password', 'passw0rd'); ... </script>Steps to reproduce the behavior
cfmr-ui\src\frontend\packages\store\src\effects\uaa-setup.effects.ts:75
Log output covering before error and any error statements
Insert log hereCopy
Detailed Description
MooTools Hardcoded Credentials In URI Object
Context
Possible Implementation
deleting it