[
https://issues.apache.org/jira/browse/JSPWIKI-74?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Holeczek closed JSPWIKI-74.
-----------------------------------
> Ounce Labs Security Finding: Cryptography - Poor Entropy
> --------------------------------------------------------
>
> Key: JSPWIKI-74
> URL: https://issues.apache.org/jira/browse/JSPWIKI-74
> Project: JSPWiki
> Issue Type: Bug
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Assignee: Andrew Jaquith
> Fix For: 2.6.0
>
> Attachments: report.pdf
>
>
> Description:
> The UniqueID generation for the spam filter is not truly random.
> Recommendation:
> Instead use java.security.SecureRandom().
> Description:
> Generation of random passwords, on password changes and administrator initial
> password uses an insecure source of randomness.
> Recommendation:
> Instead use java.security.SecureRandom().
> Related Code Locations:
> 2 findings:
> Name:
> com.ecyrd.jspwiki.filters.SpamFilter.getUniqueID():java.lang.String
> Type: Vulnerability.Cryptography.PoorEntropy
> Severity: High
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\filters\SpamFilter.java
> Line / Col: 262 / 0
> Context: rand . java.util.Random.nextInt ( 26 )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.TextUtil.generateRandomPassword():java.lang.String
> Type: Vulnerability.Cryptography.PoorEntropy
> Severity: High
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\TextUtil.java
> Line / Col: 773 / 0
> Context: RANDOM . java.util.Random.nextDouble ()
> -----------------------------------
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
