Use of hard-coded passwords, MD5, and HTTP #250
Comments
akondasif
changed the title
|
I also noticed instances of MD5 uses in one of the Puppet scripts. MD5 is vulnerable to attacks, and should be avoided. The Common Weakness Enumeration organization recommends against usage of weak cryptographic algorithms such as MD5. Reff: https://cwe.mitre.org/data/definitions/327.html. I suggest the use of SHA512 , which is more secure. Any feedback is appreciated. Here is where I noticed MD5 use: https://github.com/biemond/biemond-wildfly/blob/master/manifests/config/user.pp |
akondasif
changed the title
|
I also found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support? I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP? Any feedback is appreciated. Source: https://github.com/biemond/biemond-wildfly/blob/master/manifests/init.pp |
|
There is a pull request out there: |
|
Excellent. Thanks for the feedback. I am closing the issue, but please re-open if further discussion is necessary. |
I am a security researcher, who is looking for security smells in Puppet scripts.
I noticed two instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.
I have added hiera support to mitigate this smell. Feedback is welcome.
Pull request: #249
Here is where I noticed hard-coded passwords: https://github.com/biemond/biemond-wildfly/blob/v0.5.x/manifests/params.pp
The text was updated successfully, but these errors were encountered: