Skip to content

Misconfigured Database

What does this mean ?

When relying on the password authentication mode for the database connection, a secure password should be chosen.

What can happen ?

The DB Config vulnerability is serious because it is an easy target for db attacks, allowing threat actors to access the databse when a weak password is used.

Recommendation

Choose a strong password for the database and prevent hardcoding passwords in the source code.

Sample Code

Vulnerable :

string connectionString = "Server=localhost;Database=mydatabase;User Id=dbuser;Password=password";
SqlConnection conn = new SqlConnection(connectionString);
conn.Open();

Non Vulnerable :

string connectionString = ConfigurationManager.ConnectionStrings["mydatabase"].ConnectionString;
SqlConnection conn = new SqlConnection(connectionString);
conn.Open();

Vulnerable :

Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "AppLogin", Constants.a);
Connection conn2 = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&password=");

Non Vulnerable :

public DBConfig() throws SQLException {
}

public void test() throws SQLException {
    DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&password=password");
    DriverManager.getConnection("jdbc:mysql://address=(host=myhost1)(port=1111)(key1=value1)(user=sandy)(password=secret),address=(host=myhost2)(port=2222)(key2=value2)(user=sandy)(password=secret)/db");
}

public void test2() throws SQLException {
    String url = "jdbc:postgresql://localhost/test";
    Properties props = new Properties();
    props.setProperty("user", "fred");
    //props.setProperty("password", "secret");

    DriverManager.getConnection(url, props);

}

Vulnerable :

$host = "localhost";
$user = "dbuser";
$password = "password";
$dbname = "mydatabase";

$conn = mysqli_connect($host, $user, $password, $dbname);

Non Vulnerable :

$host = getenv("DB_HOST");
$user = getenv("DB_USERNAME");
$password = getenv("DB_PASSWORD");
$dbname = getenv("DB_DATABASE");

$conn = mysqli_connect($host, $user, $password, $dbname);

Vulnerable :

const mysql = require('mysql');

const connection = mysql.createConnection({
    host: 'localhost',
    user: 'dbuser',
    password: 'password',
    database: 'mydatabase'
});

connection.connect();

Non Vulnerable :

const mysql = require('mysql');

const connection = mysql.createConnection({
    host: process.env.DB_HOST,
    user: process.env.DB_USERNAME,
    password: process.env.DB_PASSWORD,
    database: process.env.DB_DATABASE
});

connection.connect();

Vulnerable :

dsn := fmt.Sprintf("user=%s password=%s host=%s dbname=%s sslmode=%s",
    "dbuser", "password", "localhost", "mydatabase", "disable")

db, err := sql.Open("postgres", dsn)
if err != nil {
    log.Fatal(err)
}

err = db.Ping()
if err != nil {
    log.Fatal(err)
}

Non Vulnerable :

host := os.Getenv("DB_HOST")
user := os.Getenv("DB_USERNAME")
password := os.Getenv("DB_PASSWORD")
dbname := os.Getenv("DB_DATABASE")

dsn := fmt.Sprintf("user=%s password=%s host=%s dbname=%s sslmode=%s",
    user, password, host, dbname, "disable")

db, err := sql.Open("postgres", dsn)
if err != nil {
    log.Fatal(err)
}

err = db.Ping()
if err != nil {
    log.Fatal(err)
}

Vulnerable :

require 'pg'

conn = PG.connect(
    host: 'localhost',
    dbname: 'mydatabase',
    user: 'dbuser',
    password: 'password'
)

Non Vulnerable :

require 'pg'

conn = PG.connect(
    host: ENV['DB_HOST'],
    dbname: ENV['DB_DATABASE'],
    user: ENV['DB_USERNAME'],
    password: ENV['DB_PASSWORD']
)

References