| Título | demozx gf_cms None Hard-coded Credentials |
|---|
| Descrição | func init() {
service.RegisterAuth(New())
auth := jwt.New(&jwt.GfJWTMiddleware{
Realm: "test zone",
Key: []byte("secret key"),
Timeout: time.Minute * 5,
MaxRefresh: time.Minute * 5,
IdentityKey: "id",
TokenLookup: "header: Authorization, query: token, cookie: jwt",
TokenHeadName: "Bearer",
TimeFunc: time.Now,
Authenticator: Auth().Authenticator,
Unauthorized: Auth().Unauthorized,
PayloadFunc: Auth().PayloadFunc,
IdentityHandler: Auth().IdentityHandler,
})
authService = auth
}
In file ` internal/logic/auth/auth. Go ` line 37, there is a hard coded Key (Key) value, namely the "secret Key". Hard-coded credentials (such as keys, passwords, API keys, etc.) are one of the common mistakes of security development. If an attacker has access to these hard-coded credentials, they may be able to exploit them
Data to access a system or service. Hard-coded credentials often lead to security risks because they make it easier for attackers to obtain sensitive information and potentially use it to perform malicious activities. |
|---|
| Fonte | ⚠️ https://github.com/demozx/gf_cms/issues/5 |
|---|
| Utilizador | zihe (UID 56943) |
|---|
| Submissão | 19/08/2024 14h40 (há 2 anos) |
|---|
| Moderação | 20/08/2024 10h16 (20 hours later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 275199 [demozx gf_cms 1.0/1.0.1 JWT Authentication auth.go init Autenticação fraca] |
|---|
| Pontos | 20 |
|---|