From email@example.com on October 22, 2013 13:04:40
The 'configuration/esapi/ESAPI.properties' file and all other files under the 'configuration/esapi' directory are missing from the ESAPI production builds. (E.g., it is missing from the 2.1.0 release.)
This is causing some to use the ESAPI.properties file found in 'src/test/resources/esapi/ESAPI.properties' which has some (intentionally) insecure additional property values (e.g., Encryptor.cipher_modes.additional_allowed=CBC,ECB – ECB mode is normally not there). It also increases the likelihood that developers are using the test versions of Encryptor.MasterKey and Encryptor.MasterSalt property values.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=309