Security issues in FTP


Directory Browsing with PHP.

The case of the missing errors.

compiling with SSL.

Send your password in clear text

The biggest problem with FTP is that the server can only handle usernames and passwords in plain text. This is one of the reasons why the root account cannot be used for FTP access on most servers. The same applies for telnet.

FTP is not the only protocol that sends everything in the clear, POP, IMAP, Jabber are some other equally guilty protocols. The difference however is that FTP is very commonly used to upload contents to various kinds of servers including webservers. Someone who sniffs your mail server might read your private mail, but someone who sniffs your FTP password can deface your website. Matters have not been helped by the fact that some FTP servers are notoriusly buggy.

For these reasons there are various alternatives including Secure FTP (SFTP), which despite the name is quite different from FTP. SFTP applies encryption on all messages between the client and the server. There is also another alternative FTPS. Losely speaking we can think of FTPS being to FTP what HTTPS is to HTTP.

Usernames and passwords are not the only things that are sent over clear text. The files themselves are uploaded or downloaded without any encryption at all. That online store you buy your T-shirts from might give you an HTTPS page to enter your credit card, and their accountants maybe downloading the card details over FTP!

Having said all that this article is not intended to be an indepth study of cryptography, rather it's intended to give you a small amount of background information as we work towards building a FTP client using PHP.