How to remediate – FTP Credentials Disclosure

1. Introduction

FTP Credentials Disclosure is a vulnerability where FTP configuration files on a web server are publicly accessible. These files can contain sensitive information like usernames, passwords, and host details used to access the FTP server. This could allow attackers to gain unauthorized access to content that should be private, potentially impacting confidentiality, integrity, and availability of data stored on the FTP server.

2. Technical Explanation

The vulnerability occurs because web servers are configured to serve files related to FTP software, which inadvertently exposes credentials or host information. An attacker can simply browse these configuration files using a standard web browser. The primary risk is unauthorized access to the FTP server and its data. This affects systems running web servers with publicly accessible FTP configurations.

• Root cause: Publicly accessible FTP configuration files are present on the web server.
• Exploit mechanism: An attacker browses the web server for files like ftp.conf or similar, and extracts credentials from them. For example, an attacker could access a file containing usernames and passwords used to connect to the FTP server.
• Scope: Web servers running with exposed FTP configurations are affected.

3. Detection and Assessment

To confirm vulnerability, check for publicly accessible FTP configuration files. A quick check involves browsing the web server’s file system. For a thorough assessment, use a web scanner to identify such files.

• Quick checks: Use a web browser to navigate to common locations like http://yourserver/ftp.conf or http://yourserver/config/ftp.conf and check if the file is accessible.
• Scanning: Nessus plugin ID 10423 can identify publicly exposed FTP configuration files. This is an example only, other scanners may also provide similar checks.
• Logs and evidence: Check web server access logs for requests to FTP configuration files (e.g., ftp.conf). Look for HTTP status codes 200 (OK) indicating successful retrieval of the file.

curl -I http://yourserver/ftp.conf

4. Solution / Remediation Steps

Remove publicly accessible FTP configuration files to fix this issue. This involves deleting or restricting access to these files on the web server.

4.1 Preparation

• Ensure you have appropriate permissions to delete or modify files in the web server’s document root. A roll back plan involves restoring the backed-up configuration files.
• A change window may be needed depending on your organization’s policies. Approval from a system administrator might be necessary.

4.2 Implementation

1. Step 1: Identify all FTP configuration files in the web server’s document root (e.g., ftp.conf, ftpd.ini).
2. Step 2: Delete the identified FTP configuration files from the web server’s file system using a command like rm /path/to/ftp.conf.
3. Step 3: Verify that the files are no longer accessible via a web browser or other means.

4.3 Config or Code Example

Before

# /var/www/html/ftp.conf
username=testuser
password=testpassword
host=ftpserver.example.com

After

# File removed - no ftp.conf present in /var/www/html/

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege limits the impact of a compromised account, while secure defaults ensure configurations are not unnecessarily exposed. Regular patching helps address known vulnerabilities in FTP software.

• Practice 1: Implement least privilege to restrict access to sensitive files and directories on the web server.
• Practice 2: Use secure default configurations for all services, minimizing unnecessary exposure of credentials or configuration data.

4.5 Automation (Optional)

#!/bin/bash
# Script to remove FTP configuration files from web server document root
find /var/www/html -name "ftp.conf" -delete
echo "FTP configuration files removed."

5. Verification / Validation

Confirm the fix by checking that the FTP configuration files are no longer accessible via a web browser. Re-run the earlier detection methods to verify the issue is resolved. Perform a simple service smoke test to ensure basic functionality remains intact.

• Post-fix check: Use curl -I http://yourserver/ftp.conf and expect an HTTP status code of 404 (Not Found).
• Re-test: Repeat the web browser access test from Step 3 in Detection and Assessment to confirm files are inaccessible.
• Smoke test: Verify that other website functionality, such as accessing static pages or submitting forms, still works correctly.
• Monitoring: Monitor web server logs for any unexpected errors related to file access.

curl -I http://yourserver/ftp.conf

6. Preventive Measures and Monitoring

Update security baselines to include restrictions on publicly accessible FTP configuration files. Implement checks in CI or deployment pipelines to prevent the same issue from recurring. Establish a regular patch review cycle for all server software.

• Baselines: Update your web server security baseline to explicitly deny access to FTP configuration files.
• Pipelines: Add static analysis tools (SAST) in your CI/CD pipeline to scan for exposed credentials or sensitive data in configuration files.
• Asset and patch process: Implement a monthly patch review cycle for all server software, including web servers and FTP services.

7. Risks, Side Effects, and Roll Back

• Roll back: Restore the backed-up configuration directory to its original state.

8. References and Resources

• Vendor advisory or bulletin: No specific vendor advisory available for this general configuration issue.
• NVD or CVE entry: No specific CVE associated with this general configuration issue.
• Product or platform documentation relevant to the fix: Apache Security Documentation