Empty Password in Configuration file

[mrahman]

I am using AutoIT along with Selenium WebDriver to handle upload and download while doing web based automation. At work,  the server admins ran a security scan prior to install autoIT in prod server and provided the following findings:

Credentials Management (high severity)
CWE-255: Credentials Management

Location: Editors/PSPad/AutoIt3.ini:1336
ID: ****** Status: New Detection Method: Static Analysis
Reported by Fortify: Fortify / Environment / Password Management / Empty Password in Configuration File [CWE-258]
Location: Editors/PSPad/AutoIt3.ini 

 

Now, what should be a reasonable explanation why these strings have empty passwords.

[JLogan3o13]

edit: sorry typing too fast...

Is this the latest version of AutoIt you've installed?

AutoIt3.ini does have a couple of lines that reference passwords, which through a default install would be blank:

Quote

_GUICtrlEdit_GetPasswordChar=

_GUICtrlEdit_SetPasswordChar=

_GUICtrlRichEdit_GetPasswordChar=

_GUICtrlRichEdit_SetPasswordChar=

but I don't see why that would throw an exception in your AV scans. I would ask your security team why Fortify thinks this is an issue.

Edited August 22, 2018 by JLogan3o13

[mrahman]

it is the latest version of AutoIT

v3.3.14.5

[JLogan3o13]

The second part of my suggestion stands - consult with your security folks as to why that AV product (one of the few I am not intimately familiar with) thinks an empty line with the word password in it is a risk. 

Edit: I see it is more of an application security testing product, rather than AV

Edited August 22, 2018 by JLogan3o13

[mrahman]

You are right, its an application security testing. I also found those lines that reference passwords. their concern is since there are nodes, why those nodes are kept blank. how this nodes are being used. 

[jchd]

To me its like looking closely deep inside your underwear to check you aren't carrying a Kalashnikov.

[mrahman]

@JCHD    I understand that it is too much of security concern for such a light weight tool. 

 

 I am wondering what was the purpose of those empty strings in the location Editors/PSPad/AutoIt3.ini 

and if I have to use these references or set up a password, how to do that. 

[iamtheky]

1 hour ago, mrahman said:

 I am wondering what was the purpose of those empty strings in the location Editors/PSPad/AutoIt3.ini 

They are in an editor highlighter defintion file, and when you type those strings into an editor they get highlighted.   I dont know if your MicroFocus install is well tuned or just aimed at OWASP top 20, and would not speak negatively of any App Security (for real, many cheers that your department has a process that is getting 3rd party app security questions asked)....  But those are strings within larger function names, so whatever scan returned those items deals in false positives for a job.

Edited August 22, 2018 by iamtheky

[mrahman]

Thank you.

[jchd]

Don't misunderstand me: I'm not going to dismiss either the move and efforts towards better security or the tools used to detect issues. But tagging passive parameter names in a config file is close to ridiculous. Its the use of config data that needs close scrutiny, while parameter names can be random garbage.