lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 18 Apr 2008 15:36:34 -0400
From: "Garrett M. Groff" <groffg@...design.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Security issue in Filezilla 3.0.9.2:passwords
	are stored in plain text (sitemanager.xml)

That issue is inherent in the FTP protocol, not FileZilla.

Resolution: set up FTP server to use either SFTP or FTPS.

- G


----- Original Message ----- 
From: "Joey Mengele" <joey.mengele@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>; <hardwick.carl@...il.com>
Sent: Friday, April 18, 2008 3:21 PM
Subject: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords 
are stored in plain text (sitemanager.xml)


>I have noticed a similar, yet much more severe flaw in Filezilla.
> When logging in to a remote server, Filezilla will send the
> password in clear text without encrypting it. This means every
> machine on the internet that it routes through can intercept it.
> Same flaw, much more serious consequences, since, who has access to
> your personal PC anyway?
>
> J
>
> On Fri, 18 Apr 2008 15:09:18 -0400 carl hardwick
> <hardwick.carl@...il.com> wrote:
>>A security issue in Filezilla 3.0.9.2 (and previous versions)
>>allows
>>local users to retrieve all saved passwords because they're stored
>>in
>>a plain text sitemanager.xml
>>
>><?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
>><FileZilla3>
>>    <Servers>
>>        <Server>
>>            <Host>ftpspace.domain.com</Host>
>>            <Port>21</Port>
>>            <Protocol>0</Protocol>
>>            <Type>0</Type>
>>            <Logontype>1</Logontype>
>>            <User>user@...ain.com</User>
>>            <Pass>I'mAPlainTextPassword</Pass>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
> --
> Love tea? Click and drink in fine teas from around the world.
> http://tagline.hushmail.com/fc/Ioyw6h4dQrpDm7lVybi3tCFHWrTmyaROe9WzHSGYBdQQdStCmOcdVO/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ