[JSPWIKI-74] Ounce Labs Security Finding: Cryptography - Poor Entropy - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: 2.4.104
Fix Version/s: 2.6.0
Component/s: None
Labels:
None

Description

Description:
The UniqueID generation for the spam filter is not truly random.

Recommendation:
Instead use java.security.SecureRandom().

Description:
Generation of random passwords, on password changes and administrator initial password uses an insecure source of randomness.

Recommendation:
Instead use java.security.SecureRandom().

Related Code Locations:
2 findings:
Name: com.ecyrd.jspwiki.filters.SpamFilter.getUniqueID():java.lang.String
Type: Vulnerability.Cryptography.PoorEntropy
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\filters\SpamFilter.java
Line / Col: 262 / 0
Context: rand . java.util.Random.nextInt ( 26 )
-----------------------------------
Name: com.ecyrd.jspwiki.TextUtil.generateRandomPassword():java.lang.String
Type: Vulnerability.Cryptography.PoorEntropy
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\TextUtil.java
Line / Col: 773 / 0
Context: RANDOM . java.util.Random.nextDouble ()
-----------------------------------

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

report.pdf
28/Nov/07 21:08
28 kB
Cristian Borlovan

Activity

People

Assignee:: Andrew R. Jaquith

Reporter:: Cristian Borlovan

Votes:: 1 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 28/Nov/07 21:07

Updated:: 10/Sep/11 23:33

Resolved:: 29/Nov/07 06:09