CX Heap_Inspection @ Code/SQLiteMembershipProvider.cs [master]

[jbruinaud]

Heap_Inspection issue exists @ Code/SQLiteMembershipProvider.cs in branch master

Method GetPassword at line 773 of Code\SQLiteMembershipProvider.cs defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory. 

Severity: Medium

CWE:244

Checkmarx

Lines: 450 1673 1609 1610 1050 1018 331 796 1758

---

Code (Line #450):

            string encodedPassword = EncodePassword (password, PasswordFormat, salt);

---

Code (Line #1673):

        private static void GetPasswordWithFormat (string username, out int status, out string password, out MembershipPasswordFormat passwordFormat, out string passwordSalt, out int failedPasswordAttemptCount, out int failedPasswordAnswerAttemptCount, out bool isApproved, out DateTime lastLoginDate, out DateTime lastActivityDate)

---

Code (Line #1609):

            string pass1 = password;

---

Code (Line #1610):

            string pass2 = dbpassword;

---

Code (Line #1050):

            string newPassword = Membership.GeneratePassword (NEW_PASSWORD_LENGTH, MinRequiredNonAlphanumericCharacters);

---

Code (Line #1018):

            string passwordFromDb;

---

Code (Line #331):

            string encodedPwd = EncodePassword (newPassword, passwordFormat, salt);

---

Code (Line #796):

                        string password, passwordAnswer, passwordSalt;

---

Code (Line #1758):

            string password = encodedPassword;

---

[jbruinaud]

Issue still exists.

SUMMARY

Issue has total 9 vulnerabilities left to be fix (Please scroll to the top for more information)