 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.108346 |
| Category: | Web application abuses |
| Title: | SCP/SFTP/FTP Sensitive Data Exposure via Config File (HTTP) |
| Summary: | The script attempts to identify SCP/SFTP/FTP configuration files; containing sensitive data at the remote web server. |
| Description: | Summary: The script attempts to identify SCP/SFTP/FTP configuration files containing sensitive data at the remote web server. Vulnerability Insight: Currently the script is checking for the following files: - sftp-config.json (Multiple clients, e.g. Sublime SFTP) - recentservers.xml, sitemanager.xml, filezilla.xml, FileZilla.xml (FileZilla) - WS_FTP.ini, ws_ftp.ini, WS_FTP.INI (WS_FTP) - WinSCP.ini, winscp.ini (WinSCP) - .vscode/sftp.json (sftp extension for vs code) - .vscode/ftp-sync.json (Ftp Sync plugin for Visual Studio Code) - .ftpconfig, .remote-sync.json, deployment-config.json (Remote FTP, Remote Sync and SFTP-Deployment packages for Atom.io) - ftpsync.settings (FTPSync for Sublime Text) Vulnerability Impact: Based on the information provided in these files an attacker might be able to gather additional info and/or sensitive data like usernames and passwords. Solution: A SCP/SFTP/FTP configuration file shouldn't be accessible via a web server. Restrict access to it or remove it completely. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Copyright | Copyright (C) 2018 Greenbone Networks GmbH |
| This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |