Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
2.4.104
-
None
-
None
Description
Description:
The UniqueID generation for the spam filter is not truly random.
Recommendation:
Instead use java.security.SecureRandom().
Description:
Generation of random passwords, on password changes and administrator initial password uses an insecure source of randomness.
Recommendation:
Instead use java.security.SecureRandom().
Related Code Locations:
2 findings:
Name: com.ecyrd.jspwiki.filters.SpamFilter.getUniqueID():java.lang.String
Type: Vulnerability.Cryptography.PoorEntropy
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\filters\SpamFilter.java
Line / Col: 262 / 0
Context: rand . java.util.Random.nextInt ( 26 )
-----------------------------------
Name: com.ecyrd.jspwiki.TextUtil.generateRandomPassword():java.lang.String
Type: Vulnerability.Cryptography.PoorEntropy
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\TextUtil.java
Line / Col: 773 / 0
Context: RANDOM . java.util.Random.nextDouble ()
-----------------------------------