php.lang.security.ftp-use.ftp-use
semgrepAuthor
4,191
Download Count*
License
FTP allows for unencrypted file transfers. Consider using an encrypted alternative.
Run Locally
Run in CI
Defintion
rules:
- id: ftp-use
patterns:
- pattern: $FUNC(...);
- metavariable-regex:
metavariable: $FUNC
regex: ftp_.+
message: FTP allows for unencrypted file transfers. Consider using an encrypted
alternative.
metadata:
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
references:
- https://www.php.net/manual/en/intro.ftp.php
- https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php
category: security
technology:
- php
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- php
severity: ERROR
Examples
ftp-use.php
<?php
// ruleid: ftp-use
$conn_id = ftp_connect($ftp_server);
// ruleid: ftp-use
$login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
// ok: ftp-use
ssh2_scp_send($connection, '/local/filename', '/remote/filename', 0644);
Short Link: https://sg.run/RoYN