Active Directory services account with plaintext password


Product & Service Introduction:

BioStar 2 is a web-based, open, and integrated security platform that provides comprehensive functionality for access control, time & attendance management, visitor management, and video log maintenance. It encrypts all personal data available and supports both SDKs and web APIs to integrate BioStar 2 with third-party software. In addition, users can control BioStar 2 platform remotely with the mobile app for BioStar 2 and manage a mobile access card that they can use to access sites.

Technical Description:

Active Directory is data storage that stores employees’ information such as company file server account information and employees’ computer information.

Using BioStar v2.7.5 or up version, the user information of BioStar2 can be updated from Active Directory Server.

Proof of Concept (POC):

Storing a password in plaintext may result in a system compromise. Password management issues occur when a password is stored in plaintext in an application’s properties or configuration file.

  1. log in to Bio star 2 dashboard from your “Admin” account, Go to Settings > Active Directory
Active Directory page
Active Directory services account password stored in a plain text when editing the page source

Solution – Fix & Patch:

Suprema recommend using the latest version of Bio star 2, at the time of publishing the blog | 2022 Q4, v2.9.1.