GyanByte
issues|June 03, 2018|2 min read

How to solve - Apache Ftp Client library is printing password on console

apache ftpsecurity
TL;DR

Apache FTPSClient logs credentials via its ProtocolCommandListener; remove or customize the listener to prevent username and password from being printed to console or logs.

How to solve - Apache Ftp Client library is printing password on console

Problem Statement

Apache provides lot of libraries for common utility functions for Java. One such common library is FTP library which provides better functionality to do FTP and FTPS calls. The reference to apache ftp library is: Apache Ftp

The problem comes while using FTPS. When developer uses login method of this library while authentication, it prints username and password in console, which is a huge security concern. Also, it exposes user credentials to logs. And, anyone can read those credentials if he or she has access to those logs.

Example

FTPClient ftpClient = null;
FTPSClient ftps = new FTPSClient("TLS", false);

//accept all for now
ftps.setTrustManager(TrustManagerUtils.getAcceptAllTrustManager());

//verbose
ftps.addProtocolCommandListener(
  new PrintCommandListener( new PrintWriter(new OutputStreamWriter(System.out, "UTF-8"), true)));

ftpClient = ftps;
//set connect timeout

ftpClient.setConnectTimeout(config.getConnectTimeout());
ftpClient.connect(host);
ftps.execPROT("P");
//SSL mode

if(ftpClient.login(username, password)) {
  //successfully login
}
else {
  //error condition
}

Example output:

``` 220-Isilon OneFS v7.2.1.1 220 AUTH TLS 234 Proceed with negotiation. PROT P 200 PROT now Private. USER USERNAME 331 Please specify the password. PASS PASSWORD ```

The Solution

For best security practices, we should not put passwords anywhere in logs. Lets come to the solution for this problem. We need to modify the code a little bit for this mess. See below code: 
 FTPClient ftpClient = null;
 FTPSClient ftps = new FTPSClient("TLS", false);

 //accept all for now
 ftps.setTrustManager(TrustManagerUtils.getAcceptAllTrustManager());

 //verbose
 ftps.addProtocolCommandListener(new ProtocolCommandListener() {
  @Override public void protocolReplyReceived(ProtocolCommandEvent arg0) { }
  @Override public void protocolCommandSent(ProtocolCommandEvent arg0) { }
 });

 ftpClient = ftps;

 //set connect timeout
 ftpClient.setConnectTimeout(config.getConnectTimeout());

 ftpClient.connect(host);

 ftps.execPROT("P");
 //SSL mode
 if(ftpClient.login(username, password)) {
   //successfully login
 }
 else {
   //error condition
 }

Result

Now, you will not see previous mess in console, or in logs.

Note: Above code is just to show the problem of showing passwords in concole. I will write a complete better implementation of ftp and ftps apis.

apache ftpsecurity

Related Posts

Python SMTP Email Code - Sender Address Rejected - Not Owned By User

Python SMTP Email Code - Sender Address Rejected - Not Owned By User

Introduction In a normal email sending code from python, I’m getting following…

Understanding Zero-day Exploit of Log4j Security Vulnerability and Solution (CVE-2021-44228, CVE-2021-45046)

Understanding Zero-day Exploit of Log4j Security Vulnerability and Solution (CVE-2021-44228, CVE-2021-45046)

Introduction On 9th December 2021, an industry-wide vulnerability was discovered…

Dockerfile for building Python 3.9.2 and Openssl for FIPS

Dockerfile for building Python 3.9.2 and Openssl for FIPS

Introduction In previous posts, we saw how to build FIPS enabled Openssl, and…

How to Patch and Build Python 3.9.x for FIPS enabled Openssl

How to Patch and Build Python 3.9.x for FIPS enabled Openssl

Introduction In this post, we will see Python 3.9.x patch for FIPS enabled…

How to build FIPS enabled Openssl in docker

How to build FIPS enabled Openssl in docker

Introduction In this post, we will see how we can build FIPS enabled openssl in…

How to Patch and Build Python 3.7.9 for FIPS enabled Openssl

How to Patch and Build Python 3.7.9 for FIPS enabled Openssl

Introduction In this post, we will see Python 3.7.9 patch for FIPS enabled…

Latest Posts

Claude Code Skills — Build a Better Engineering Workflow with AI-Powered Code Reviews, Security Scans, and More

Claude Code Skills — Build a Better Engineering Workflow with AI-Powered Code Reviews, Security Scans, and More

Most developers use Claude Code like a search engine — ask a question, get an…

Building an AI Voicebot for Visitor Check-In — A Practical Guide to Handling the Messy Parts

Building an AI Voicebot for Visitor Check-In — A Practical Guide to Handling the Messy Parts

Every office lobby has the same problem: a visitor walks in, nobody’s at the…

Server Security Best Practices — Complete Hardening Guide for Production Systems

Server Security Best Practices — Complete Hardening Guide for Production Systems

Every breach post-mortem tells the same story: an unpatched service, a…

Staff Engineer Study Plan for MAANG Interviews — The Complete 12-Week Roadmap

Staff Engineer Study Plan for MAANG Interviews — The Complete 12-Week Roadmap

If you’re a Senior Engineer (L5) preparing for Staff (L6+) roles at MAANG…

XSS and CSRF Explained — The Complete Guide with Real Attack Examples and Defenses

XSS and CSRF Explained — The Complete Guide with Real Attack Examples and Defenses

XSS and CSRF have been in the OWASP Top 10 for over a decade. They’re among the…

OWASP Top 10 (2021) — Every Vulnerability Explained with Code

OWASP Top 10 (2021) — Every Vulnerability Explained with Code

The OWASP Top 10 is the industry standard for web application security risks. If…