incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Holeczek (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (JSPWIKI-74) Ounce Labs Security Finding: Cryptography - Poor Entropy
Date Sat, 10 Sep 2011 23:35:10 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-74?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Holeczek closed JSPWIKI-74.
-----------------------------------


> Ounce Labs Security Finding: Cryptography - Poor Entropy
> --------------------------------------------------------
>
>                 Key: JSPWIKI-74
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-74
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Andrew Jaquith
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description:
> The UniqueID generation for the spam filter is not truly random. 
> Recommendation:
> Instead use java.security.SecureRandom().
> Description: 
> Generation of random passwords, on password changes and administrator initial password
uses an insecure source of randomness.  
> Recommendation:
> Instead use java.security.SecureRandom().
> Related Code Locations: 
> 2 findings:
>   Name:           com.ecyrd.jspwiki.filters.SpamFilter.getUniqueID():java.lang.String
>   Type:           Vulnerability.Cryptography.PoorEntropy
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\filters\SpamFilter.java
>   Line / Col:     262 / 0
>   Context:        rand . java.util.Random.nextInt ( 26 )
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.TextUtil.generateRandomPassword():java.lang.String
>   Type:           Vulnerability.Cryptography.PoorEntropy
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\TextUtil.java
>   Line / Col:     773 / 0
>   Context:        RANDOM . java.util.Random.nextDouble ()
>      -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message