[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)
From: "Garrett M. Groff" <groffg@xxxxxxxxxxxxx>
Date: Fri, 18 Apr 2008 15:36:34 -0400

That issue is inherent in the FTP protocol, not FileZilla.

Resolution: set up FTP server to use either SFTP or FTPS.

- G


----- Original Message ----- 
From: "Joey Mengele" <joey.mengele@xxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxxx>; <hardwick.carl@xxxxxxxxx>
Sent: Friday, April 18, 2008 3:21 PM
Subject: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords 
are stored in plain text (sitemanager.xml)


>I have noticed a similar, yet much more severe flaw in Filezilla.
> When logging in to a remote server, Filezilla will send the
> password in clear text without encrypting it. This means every
> machine on the internet that it routes through can intercept it.
> Same flaw, much more serious consequences, since, who has access to
> your personal PC anyway?
>
> J
>
> On Fri, 18 Apr 2008 15:09:18 -0400 carl hardwick
> <hardwick.carl@xxxxxxxxx> wrote:
>>A security issue in Filezilla 3.0.9.2 (and previous versions)
>>allows
>>local users to retrieve all saved passwords because they're stored
>>in
>>a plain text sitemanager.xml
>>
>><?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
>><FileZilla3>
>>    <Servers>
>>        <Server>
>>            <Host>ftpspace.domain.com</Host>
>>            <Port>21</Port>
>>            <Protocol>0</Protocol>
>>            <Type>0</Type>
>>            <Logontype>1</Logontype>
>>            <User>user@xxxxxxxxxx</User>
>>            <Pass>I'mAPlainTextPassword</Pass>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
> --
> Love tea? Click and drink in fine teas from around the world.
> http://tagline.hushmail.com/fc/Ioyw6h4dQrpDm7lVybi3tCFHWrTmyaROe9WzHSGYBdQQdStCmOcdVO/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2: passwords are stored in plain text (sitemanager.xml)
  - From: Joey Mengele

Prev by Date: Re: [Full-disclosure] Web Application Security Awareness Day
Next by Date: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)
Previous by thread: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2: passwords are stored in plain text (sitemanager.xml)
Next by thread: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)
Index(es):
- Date
- Thread