[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)
- To: full-disclosure@xxxxxxxxxxxxxxxxx, groffg@xxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)
- From: "Joey Mengele" <joey.mengele@xxxxxxxxxxxx>
- Date: Fri, 18 Apr 2008 15:42:44 -0400
I disagree, read the RFC. There are plenty of more secure FTP
clients such as the OpenSSH.com groups proactive secure Secure FTP
(sftp) implementation of FTP.
J
On Fri, 18 Apr 2008 15:36:34 -0400 "Garrett M. Groff"
<groffg@xxxxxxxxxxxxx> wrote:
>That issue is inherent in the FTP protocol, not FileZilla.
>
>Resolution: set up FTP server to use either SFTP or FTPS.
>
>- G
>
>
>----- Original Message -----
>From: "Joey Mengele" <joey.mengele@xxxxxxxxxxxx>
>To: <full-disclosure@xxxxxxxxxxxxxxxxx>; <hardwick.carl@xxxxxxxxx>
>Sent: Friday, April 18, 2008 3:21 PM
>Subject: Re: [Full-disclosure] Security issue in Filezilla
>3.0.9.2:passwords
>are stored in plain text (sitemanager.xml)
>
>
>>I have noticed a similar, yet much more severe flaw in Filezilla.
>> When logging in to a remote server, Filezilla will send the
>> password in clear text without encrypting it. This means every
>> machine on the internet that it routes through can intercept it.
>> Same flaw, much more serious consequences, since, who has access
>to
>> your personal PC anyway?
>>
>> J
>>
>> On Fri, 18 Apr 2008 15:09:18 -0400 carl hardwick
>> <hardwick.carl@xxxxxxxxx> wrote:
>>>A security issue in Filezilla 3.0.9.2 (and previous versions)
>>>allows
>>>local users to retrieve all saved passwords because they're
>stored
>>>in
>>>a plain text sitemanager.xml
>>>
>>><?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
>>><FileZilla3>
>>> <Servers>
>>> <Server>
>>> <Host>ftpspace.domain.com</Host>
>>> <Port>21</Port>
>>> <Protocol>0</Protocol>
>>> <Type>0</Type>
>>> <Logontype>1</Logontype>
>>> <User>user@xxxxxxxxxx</User>
>>> <Pass>I'mAPlainTextPassword</Pass>
>>>
>>>_______________________________________________
>>>Full-Disclosure - We believe in it.
>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>Hosted and sponsored by Secunia - http://secunia.com/
>>
>> --
>> Love tea? Click and drink in fine teas from around the world.
>>
>http://tagline.hushmail.com/fc/Ioyw6h4dQrpDm7lVybi3tCFHWrTmyaROe9Wz
>HSGYBdQQdStCmOcdVO/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
--
Self-Employed? Need a Health Plan? Click here to get self-employed health
insurance.
http://tagline.hushmail.com/fc/Ioyw6h4dO2cCFhf30yfrEmvtuogkivsLXdqjo6vqX4h6CuwtZdDLw0/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/