My current employer uses the open source project called openreports to host our internal reports. We noticed fairly quickly that it was storing the user account passwords in plain text in the database and I was tasked with fixing this.

So the first thing I did was check the docs and noticed some optional steps for encrypting the passwords in the database. I noticed that there wasn’t a way to set an encryption key however. I was hoping that maybe they mean they hash the pw then a key wouldn’t be needed but I’ve worked with openreports enough to fear otherwise.

I started digging through the source code and still didn’t see anyway to set set the key. So I ended up finding the code that transforms the password and was shocked by what I saw:

BCodec bCodec = new BCodec();

return bCodec.encode(password);

org.apache.commons.codec.net.BCodec is a base 64 encoding class. My rage on seeing this was indescribable. The worst part was that I couldn’t even salvage this code because it required the ability to “decode” and since I decided to use a salted sha256 hash there was no way to “decode” that at all.

TL:DR Base 64 encoding is not encryption or hashing.

Share this: Reddit

Twitter

Facebook

Like this: Like Loading...