Fluid Attacks Database

Description

Detects the use of unencrypted FTP connections through Python's ftplib.FTP class, which transmits credentials and data in cleartext. Using plain FTP poses a significant security risk as sensitive information can be intercepted during transmission.

Weakness:

148 - Use of an insecure channel - FTP

Category: Information Collection

Detection Strategy

• Check if the 'ftplib' module is imported in the Python code

• Look for usage or instantiation of 'ftplib.FTP' class

• Report vulnerability when FTP connections are created without encryption (using plain ftplib.FTP instead of ftplib.FTP_TLS)

Vulnerable code example

from ftplib import FTP

# VULNERABLE: Using plain FTP which transmits credentials in cleartext
ftp = FTP("ftp.example.com")
ftp.login("user", "password")  # Credentials sent without encryption

✅ Secure code example

from ftplib import FTP_TLS

# SAFE: Using FTP_TLS instead of plain FTP for encrypted communication
ftp = FTP_TLS("ftp.example.com")
ftp.auth()  # Enable TLS encryption
ftp.prot_p()  # Protect data channel with TLS
ftp.login("user", "password")  # Credentials now sent over encrypted channel

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.