Misconfigured Database
What does this mean ?
When relying on the password authentication mode for the database connection, a secure password should be chosen.
What can happen ?
The DB Config vulnerability is serious because it is an easy target for db attacks, allowing threat actors to access the databse when a weak password is used.
Recommendation
Choose a strong password for the database and prevent hardcoding passwords in the source code.
Sample Code
Vulnerable :
string connectionString = "Server=localhost;Database=mydatabase;User Id=dbuser;Password=password";
SqlConnection conn = new SqlConnection(connectionString);
conn.Open();
Non Vulnerable :
string connectionString = ConfigurationManager.ConnectionStrings["mydatabase"].ConnectionString;
SqlConnection conn = new SqlConnection(connectionString);
conn.Open();
Vulnerable :
Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "AppLogin", Constants.a);
Connection conn2 = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&password=");
Non Vulnerable :
public DBConfig() throws SQLException {
}
public void test() throws SQLException {
DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&password=password");
DriverManager.getConnection("jdbc:mysql://address=(host=myhost1)(port=1111)(key1=value1)(user=sandy)(password=secret),address=(host=myhost2)(port=2222)(key2=value2)(user=sandy)(password=secret)/db");
}
public void test2() throws SQLException {
String url = "jdbc:postgresql://localhost/test";
Properties props = new Properties();
props.setProperty("user", "fred");
//props.setProperty("password", "secret");
DriverManager.getConnection(url, props);
}
Vulnerable :
$host = "localhost";
$user = "dbuser";
$password = "password";
$dbname = "mydatabase";
$conn = mysqli_connect($host, $user, $password, $dbname);
Non Vulnerable :
$host = getenv("DB_HOST");
$user = getenv("DB_USERNAME");
$password = getenv("DB_PASSWORD");
$dbname = getenv("DB_DATABASE");
$conn = mysqli_connect($host, $user, $password, $dbname);
Vulnerable :
const mysql = require('mysql');
const connection = mysql.createConnection({
host: 'localhost',
user: 'dbuser',
password: 'password',
database: 'mydatabase'
});
connection.connect();
Non Vulnerable :
const mysql = require('mysql');
const connection = mysql.createConnection({
host: process.env.DB_HOST,
user: process.env.DB_USERNAME,
password: process.env.DB_PASSWORD,
database: process.env.DB_DATABASE
});
connection.connect();
Vulnerable :
dsn := fmt.Sprintf("user=%s password=%s host=%s dbname=%s sslmode=%s",
"dbuser", "password", "localhost", "mydatabase", "disable")
db, err := sql.Open("postgres", dsn)
if err != nil {
log.Fatal(err)
}
err = db.Ping()
if err != nil {
log.Fatal(err)
}
Non Vulnerable :
host := os.Getenv("DB_HOST")
user := os.Getenv("DB_USERNAME")
password := os.Getenv("DB_PASSWORD")
dbname := os.Getenv("DB_DATABASE")
dsn := fmt.Sprintf("user=%s password=%s host=%s dbname=%s sslmode=%s",
user, password, host, dbname, "disable")
db, err := sql.Open("postgres", dsn)
if err != nil {
log.Fatal(err)
}
err = db.Ping()
if err != nil {
log.Fatal(err)
}
Vulnerable :
require 'pg'
conn = PG.connect(
host: 'localhost',
dbname: 'mydatabase',
user: 'dbuser',
password: 'password'
)
Non Vulnerable :
require 'pg'
conn = PG.connect(
host: ENV['DB_HOST'],
dbname: ENV['DB_DATABASE'],
user: ENV['DB_USERNAME'],
password: ENV['DB_PASSWORD']
)