Quick Summary
Anonymous FTP Access Enabled is a network service misconfiguration where the FTP server allows users to authenticate using the username anonymous without requiring valid credentials. This may allow unauthorized users to browse directories, download sensitive files, and potentially upload malicious content, leading to data exposure and increased security risk.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | FTP Service Misconfiguration |
| CWE ID | CWE-284 – Improper Access Control |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 7.1 (High) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | Internal / External Network |
Affected Asset / Environment
- Service: FTP
- Default Port: 21
- Common Implementations: vsftpd, ProFTPD, FileZilla Server, Microsoft IIS FTP
- Testing Method: Black-box Network Assessment
- Tools Used: Nmap, FTP Client
Description
The assessor observed that the FTP service running on the target system permits authentication using the username anonymous without enforcing credential validation. During testing, it was possible to establish an FTP session and retrieve directory listings without valid credentials.
FTP services are commonly used for file sharing. However, when anonymous access is enabled, internal directories and files may become accessible to unauthorized users. In some configurations, write permissions may also be enabled, allowing file uploads.
Because traditional FTP transmits data in cleartext, this configuration further increases the risk of credential interception and sensitive data exposure.
Root Cause
The issue occurs due to insecure FTP configuration settings where anonymous login is enabled either intentionally or left active after default installation.
Common root causes include:
- Anonymous authentication enabled in FTP configuration
- Default service hardening not performed
- Improper directory permission configuration
- Lack of IP-based access restriction
- Absence of firewall-level filtering
Business Impact
Exploitation of this vulnerability may allow unauthorized access to sensitive organizational data such as configuration backups, internal documents, or system logs.
If write access is permitted, attackers might upload malicious content or use the server as a staging location for further attacks. This may result in compliance violations, reputational damage, financial loss, and increased exposure to ransomware or lateral movement attacks.
Technical Impact
An attacker can:
- Authenticate without valid credentials
- Enumerate directory structures
- Download accessible files
- Identify sensitive artifacts
- Upload malicious files if write permission exists
- Intercept FTP traffic due to lack of encryption
This significantly increases the attack surface of the FTP service.
Proof of Concept (PoC)
Step1: Identify FTP Service
nmap -sV -p 21 <target-ip>If FTP service is detected on port 21, proceed to authentication testing.
Step2: Check Anonymous Login Using Nmap Script
nmap --script ftp-anon -p 21 <target-ip>If output indicates “Anonymous FTP login allowed,” the system is vulnerable.
Step3: Attempt Manual Anonymous Login
ftp <target-ip>When prompted:
Name: anonymous
Password: anonymousIf successful:
230 Login successful.Step4: Enumerate Directory
Inside FTP session:
lsIf directory listing is displayed without authentication enforcement, the vulnerability is confirmed.
Step5: Test File Download
get filename.txtSuccessful download confirms unauthorized read access.
Step6: Test File Upload (If Permitted)
put test.txtIf upload succeeds, anonymous write access is enabled, increasing severity.
Exploitation Prerequisites
- Network access to port 21
- Anonymous login enabled
- No IP-based restriction
- Directory permissions not properly restricted
Remediation
It is recommended that anonymous FTP access be disabled unless explicitly required for business use.
Recommended actions:
- Disable anonymous authentication in FTP configuration
- Restrict FTP access to authenticated users only
- Implement SFTP or FTPS instead of plain FTP
- Restrict FTP service exposure via firewall
- Apply proper file system permission controls
- Regularly audit FTP configuration settings
Detection and Monitoring
- Monitor FTP logs for anonymous login attempts
- Disable directory listing if not required
- Deploy IDS/IPS rules for abnormal FTP activity
- Conduct periodic configuration reviews