Knowledge Base

Enter search queries below or use the tag links to the right to browse the knowledge base by category (Show All Tags).


FTP Supports Clear Text Authentication vulnerability reported on PCI compliance test

As of May 2011, hosting a plain unsecured FTP site is a critical (security level 4) vulnerability on the CVSS v2.0 PCI compliance test.

This is not a specific problem with Robo-FTP Server but rather a general prohibition of plain FTP sites on computers that process payment card industry transactions.

Solution #1: Require FTPS

Configure Robo-FTP Server to require FTP connections to be secured with SSL/TLS (also known as FTPS) by following these instructions (note that the specific steps may vary for older/newer versions of the software):

  1. Open the Server Console program to the FTP Server menu.
  2. If the FTP listener is running, click the Stop FTP button.
  3. Switch to the SSL Options tab.
  4. Put a check in the Use SSL checkbox.
  5. Select the Allow Secured Connections Only radio button.
  6. Click the Apply button at the bottom of the SSL Options tab.
  7. Switch back to the General Settings tab.
  8. Click the Start FTP button.

Solution #2: Use SFTP

Configure Robo-FTP Server to only accept connections using the SFTP protocol because it is always encrypted. To accomplish this, open the Server Console program and:

  1. Enable the SFTP server.
  2. Modify user account settings so they can connect with SFTP.
  3. Disable the FTP server

Article last updated: 2022-01-11

Tags: Robo-FTP Server, Clear Text, PCI