Cleartext Transmission of Sensitive Information in the ftplib Module
The Python module ftplib provides a number of functions for accessing FTP
servers. However, the module does not provide any security features. This
means that data transmitted over the network, including passwords, is sent
in cleartext. This makes it possible for attackers to intercept and read
this data.
The Python module ftplib should not be used for accessing FTP servers that contain sensitive data. There are a number of alternatives to ftplib that provide security features. These alternatives should be used instead of ftplib for accessing sensitive data.
Example
import ftplib
ftp = ftplib.FTP("ftp.us.debian.org")
ftp.login("user", "password")
ftp.cwd("debian")
ftp.retrlines("LIST")
ftp.quit()
Remediation
If the FTP protocol must be used and sensitive data will be transferred, it
is recommended to secure the connection using FTP_TLS class. It's also
important to call prot_p() to secure the data connection.
import ftplib
ftp = ftplib.FTP_TLS("ftp.us.debian.org")
ftp.login("user", "password")
ftp.prot_p()
ftp.cwd("debian")
ftp.retrlines("LIST")
ftp.quit()
Alternatives to ftplib
There are a number of alternatives to ftplib that provide security features. These alternatives include:
-
Paramiko: Paramiko is a Python module that provides secure access to SSH and SFTP servers. Paramiko uses encryption to protect data transmitted over the network. -
Twisted: Twisted is a Python framework that provides a number of network protocols, including SSH. Twisted can be used to create secure SFTP clients and servers.
See also
- ftplib — FTP protocol client
- CWE-319: Cleartext Transmission of Sensitive Information
- Paramiko
- Twisted
New in version 0.1.0