Bug 60700 - Security: hardcoded password in class org.apache.poi.poifs.crypt.CryptoFunctions
Summary: Security: hardcoded password in class org.apache.poi.poifs.crypt.CryptoFunctions
Alias: None
Product: POI
Classification: Unclassified
Component: POIFS (show other bugs)
Version: 3.15-FINAL
Hardware: PC All
: P2 critical (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2017-02-07 09:27 UTC by Li Nian
Modified: 2017-02-07 16:57 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Li Nian 2017-02-07 09:27:16 UTC
Use Fortify to scan POI 3.15 source code files, you will find a critical security issue for hardcoded password. 

In method org.apache.poi.poifs.crypt.CryptoFunctions.hashPassword(String, HashAlgorithm, byte[], int, boolean):

        // If no password was given, use the default
        if (password == null) {
            password = Decryptor.DEFAULT_PASSWORD;

Passwords should never be hardcoded and should generally be obfuscated and managed in an external source. Storing passwords in plaintext anywhere on the system allows anyone with sufficient permissions to read and potentially misuse the password.
Comment 1 Nick Burch 2017-02-07 16:57:40 UTC
This is the default password for all Microsoft Office files, which can be found in the official Microsoft documentation, or in about 5 seconds with a google search. As such, this is not a security issue