Security Issue: Default admin credentials + weak MD5 password hashing enable full admin compromise and credential cracking
Summary
The project contains seeded admin accounts with a known default password and uses unsalted MD5 for password hashing. If a deployment initializes the database using the provided schema (or reuses it), an attacker can log in as admin with default credentials, and any obtained password hashes are trivially crackable offline due to MD5.
OWASP Top 10 Mapping
A07: Identification & Authentication Failures
A02: Cryptographic Failures
A05: Security Misconfiguration
The schema seeds multiple admin users with the same password hash:
FAQ.md
### Q11: 管理员默认账号是什么?
**A:** 默认管理员账号信息需要查看数据库初始化脚本中的 `tb_newbee_mall_admin_user` 表。通常为:
- 用户名:admin
- 密码:123456(MD5加密后存储)
newbee_mall_schema.sql
-- author 13
-- qq交流群 796794009
-- email 2449207463@qq.com
-- link https://github.com/newbee-ltd
-- Records of tb_newbee_mall_admin_user
-- ----------------------------
INSERT INTO `tb_newbee_mall_admin_user` VALUES (1, 'admin', 'e10adc3949ba59abbe56e057f20f883e', '十三', 0);
INSERT INTO `tb_newbee_mall_admin_user` VALUES (2, 'newbee-admin1', 'e10adc3949ba59abbe56e057f20f883e', '新蜂01', 0);
INSERT INTO `tb_newbee_mall_admin_user` VALUES (3, 'newbee-admin2', 'e10adc3949ba59abbe56e057f20f883e', '新蜂02', 0);
e10adc3949ba59abbe56e057f20f883e is the widely-known MD5("123456").
Finding 2 — Password hashing uses unsalted MD5 (fast, crackable)
Evidence (source): src/main/java/ltd/newbee/mall/util/MD5Util.java
MD5 hashing is implemented via:
resultString = byteArrayToHexString(md.digest(resultString.getBytes(charsetname))); ```
No salt, no adaptive cost.
Evidence (source): src/main/java/ltd/newbee/mall/service/impl/AdminUserServiceImpl.java
Admin login hashes the provided password with MD5 before checking credentials:
String passwordMd5 = MD5Util.MD5Encode(password, "UTF-8");
return adminUserMapper.login(userName, passwordMd5); ```
Impact: If password hashes are obtained (DB dump, backup leak, SQLi elsewhere, insider access), attackers can crack them rapidly offline. Because hashes are unsalted, identical passwords produce identical hashes, enabling:
public void setPasswordMd5(String passwordMd5) {
this.passwordMd5 = passwordMd5 == null ? null : passwordMd5.trim();
}
Security Issue: Default admin credentials + weak MD5 password hashing enable full admin compromise and credential cracking
Summary
The project contains seeded admin accounts with a known default password and uses unsalted MD5 for password hashing. If a deployment initializes the database using the provided schema (or reuses it), an attacker can log in as admin with default credentials, and any obtained password hashes are trivially crackable offline due to MD5.
OWASP Top 10 Mapping
A07: Identification & Authentication Failures
A02: Cryptographic Failures
A05: Security Misconfiguration
The schema seeds multiple admin users with the same password hash:
FAQ.md
newbee_mall_schema.sql
Finding 2 — Password hashing uses unsalted MD5 (fast, crackable)
Evidence (source): src/main/java/ltd/newbee/mall/util/MD5Util.java
MD5 hashing is implemented via:
String passwordMd5 = MD5Util.MD5Encode(password, "UTF-8");
return adminUserMapper.login(userName, passwordMd5); ```
Impact: If password hashes are obtained (DB dump, backup leak, SQLi elsewhere, insider access), attackers can crack them rapidly offline. Because hashes are unsalted, identical passwords produce identical hashes, enabling: