https://bz.apache.org/bugzilla/show_bug.cgi?id=60700

            Bug ID: 60700
           Summary: Security: hardcoded password in class
                    org.apache.poi.poifs.crypt.CryptoFunctions
           Product: POI
           Version: 3.15-FINAL
          Hardware: PC
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: POIFS
          Assignee: dev@poi.apache.org
          Reporter: linianem...@qq.com
  Target Milestone: ---

Use Fortify to scan POI 3.15 source code files, you will find a critical
security issue for hardcoded password. 

In method org.apache.poi.poifs.crypt.CryptoFunctions.hashPassword(String,
HashAlgorithm, byte[], int, boolean):

        // If no password was given, use the default
        if (password == null) {
            password = Decryptor.DEFAULT_PASSWORD;
        }

Passwords should never be hardcoded and should generally be obfuscated and
managed in an external source. Storing passwords in plaintext anywhere on the
system allows anyone with sufficient permissions to read and potentially misuse
the password.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Reply via email to