filestash icon indicating copy to clipboard operation
filestash copied to clipboard

Published 20 hours ago • verified publisher icon mickael-kerjean

[bug] skip tls verify in ftps

Open nyxfqq opened this issue 7 months ago • 2 comments

Description of the bug

In the Init function of index.go located in github.com/mickael-kerjean/filestash/server/plugin/plg_backend_ftp, the FTPS (FTPs over TLS) connections are being established with the InsecureSkipVerify flag set to true. This configuration instructs the client to bypass the validation of the server's TLS certificate, which is inherently insecure and can expose the connection to man-in-the-middle attacks.

Step by step instructions to reproduce the bug

  1. Navigate to the server/plugin/plg_backend_ftp/index.go file. 2 Within the Init function, locate the conditional statement that configures the tls.Config when withTLS is true.
  2. You'll find the line that sets InsecureSkipVerify to true.
  3. Run the application and connect to an FTPS server. Note that the TLS connection will not validate the server's certificate.

Observed behavior

The FTPS connection is established without validating the server's TLS certificate, which means the connection is susceptible to interception and tampering by third parties.

Expected behavior

The TLS configuration should include a secure validation of the server's certificate. At minimum, there should be an option to enable or disable certificate verification based on the user's preference or security requirements. This would ensure that the FTPS connections are properly secured and not vulnerable to security threats due to misconfigured TLS settings.

nyxfqq avatar Jul 08 '24 08:07 nyxfqq