ftplib — cleartext
Cleartext Transmission of Sensitive Information in the ftplib Module
The Python module ftplib provides a number of functions for accessing FTP
servers. However, the module does not provide any security features. This
means that data transmitted over the network, including passwords, is sent
in cleartext. This makes it possible for attackers to intercept and read
this data.
The Python module ftplib should not be used for accessing FTP servers that contain sensitive data. There are a number of alternatives to ftplib that provide security features. These alternatives should be used instead of ftplib for accessing sensitive data.
Example
| ftplib_ftp_login.py | |
|---|---|
Example Output
> precli tests/unit/rules/python/stdlib/ftplib/examples/ftplib_ftp_login.py
⚠️ Warning on line 4 in tests/unit/rules/python/stdlib/ftplib/examples/ftplib_ftp_login.py
PY003: Cleartext Transmission of Sensitive Information
The FTP protocol can transmit data in cleartext without encryption.
⛔️ Error on line 5 in tests/unit/rules/python/stdlib/ftplib/examples/ftplib_ftp_login.py
PY003: Cleartext Transmission of Sensitive Information
The 'ftplib.FTP.login' function will transmit the password argument in cleartext.
Remediation
If the FTP protocol must be used and sensitive data will be transferred, it
is recommended to secure the connection using FTP_TLS class. It's also
important to call prot_p() to secure the data connection.
| ftplib_ftp_login.py | |
|---|---|
Alternatives to ftplib
There are a number of alternatives to ftplib that provide security features. These alternatives include:
-
Paramiko: Paramiko is a Python module that provides secure access to SSH and SFTP servers. Paramiko uses encryption to protect data transmitted over the network. -
Twisted: Twisted is a Python framework that provides a number of network protocols, including SSH. Twisted can be used to create secure SFTP clients and servers.
Default Configuration
See also
Info
New in version 0.1.0