Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Clear-text protocols as ftp, telnet or non secure http are lacking encryption of transported data. They are also missing the capability to build an authenticated connection. This mean that any attacker who can sniff traffic from the network can read, modify or corrupt the transported content. These protocol are not secure as they expose applications to a large range of risk:

      • Sensitive data exposure
      • Traffic redirected to a malicious endpoint
      • Malware infected software update or installer
      • Execution of client side code
      • Corruption of critical information

      Note also that using the http protocol is being deprecated by major web browser.

      In the past, it has led to the following vulnerabilities:

      This rule raises an issue when

      • a string starts with http://, ftp:// or telnet://. (case insensitive)
      • the telnetlib.Telnet class is instantiated
      • the ftplib.FTP class is instantiated

      Exceptions

      Exception: the url domain component is a loopback address.

      Sensitive Code Example

      url = "http://exemple.com" # Sensitive
      url = "ftp://anonymous@exemple.com" # Sensitive
      url = "telnet://anonymous@exemple.com" # Sensitive
      
      
      import telnetlib
      cnx = telnetlib.Telnet("towel.blinkenlights.nl") # Sensitive
      
      
      import ftplib
      cnx = ftplib.FTP("194.244.111.175") # Sensitive
      

      Compliant Solution

      url = "http://exemple.com" # Noncompliant
      url = "ftp://anonymous@exemple.com" # Noncompliant
      url = "ssh://anonymous@exemple.com" # Noncompliant
      
      import ftplib
      cnx = ftplib.FTP_TLS("secure.example.com") # Compliant
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              pierre-loup.tristant Pierre-Loup Tristant
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: