Cleartext transmission of sensitive information
Description
FTP allows for unencrypted file transfers. Consider using an encrypted alternative.
Examples
Insecure Code
php
$ftp = ftp_connect('example.com');Secure Code
php
$sftp = ssh2_sftp('example.com');Remediation
Use an encrypted alternative to FTP, such as SFTP or FTPS, to protect sensitive information during transmission.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0751 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-319 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | ftp, encryption |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |
References
- https://www.php.net/manual/en/intro.ftp.php
- https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php