The FTP directory is publicly accessible and allows listing of its contents. Attackers can browse backup files and download sensitive information or source code archives.
Navigate to the FTP path (/ftp/) in the browser.
The server responds with an auto‑generated directory listing of available files.
Select and download any of the backup files or archives presented.
Exposure of database dumps and configuration files.
Leakage of user data, credentials or internal secrets stored in backups.
Facilitation of further attacks by analysing the downloaded source code.
Disable directory listing on production servers.
Require authentication for access to backup directories.
Remove unnecessary files from publicly accessible directories.