lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 8 Oct 2010 12:46:06 +0100 (BST)
From: Hurgel Bumpf <l0rd_lunatic@...oo.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Filezilla's silent caching of user's
	credentials

No one really cares about session keys or credentials:

http://www.google.com/search?q=%22Apache+Server+Status+for%22+%22Server+Version%22+-%22How+to%22+-Guide+-Tuning&hl=en&biw=1430&bih=789&ei=KQOvTPv-Oo_Jswb7oJHTDQ&start=10&sa=N

27,800 hits..

This is a missconfiguration done by the administrator. 

So i like that quote:

"I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be."


"Let He Who Is Without Sin Cast The First Stone"




--- Jeffrey Walton <noloader@...il.com> schrieb am Fr, 8.10.2010:

> Von: Jeffrey Walton <noloader@...il.com>
> Betreff: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
> An: "Ryan Sears" <rdsears@....edu>
> CC: "full-disclosure" <full-disclosure@...ts.grok.org.uk>
> Datum: Freitag, 8. Oktober, 2010 02:25 Uhr
> Hi Ryan,
> 
> No inline comments. Sorry (I wanted to reorder topics).
> 
> > I just wanted to gauge the FD community on this issue,
> because
> > with enough backing and explanation from the security
> community
> > as to why this is a problem, this issue may finally be
> resolved (it's
> > been doing this for years now)
> This is an alarming trend in open source software, and
> diametrically
> opposed to the claims of "more eyes equates to more
> secure"", "open
> source software is more secure", and "open source software
> fixes bugs
> faster than other software models".
> 
> Is also blows away the theory of "Darwinian Software
> Evolution": good,
> robust, secure software thrives and lesser software dies.
> Filezilla
> and the Python example below are "proofs by counter
> example". It
> appears the model in use is greatly influenced by
> popularity, which
> makes it more appropriate for politicians (who tend to lie
> for a
> living) ;)
> 
> > "I do not see any harm in storing credentials as long
> as the rest
> > of your system is properly secure as it should be."
> > Source:(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932)
> That should earn the project a Pwnie Award nomination for
> lamest
> vendor response (http://pwnies.com/).
> 
> > To me this is not only concerning, but also completely
> un-acceptable.
> Agreed.
> 
> Other recent similar examples of this sort of response by
> open source
> projects include "Python ssl handling could be better...",
> where the
> Python Standard Library did not (still does not?) verify
> the hostname
> in the certificate with CN or SubAlt name
> (http://seclists.org/fulldisclosure/2010/Sep/381). The
> python bug was
> filed in 2007 (http://bugs.python.org/issue1589).
> 
> Jeff
> 
> On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears <rdsears@....edu>
> wrote:
> > Hi all,
> >
> > As some of you may or may not be aware, the popular
> (and IMHO one of the best) FTP/SCP program Filezilla caches
> your credentials for every host you connect to, without
> either warning or ability to change this without editing an
> XML file. There have been quite a few bug and features
> requests filed, and they all get closed or rejected within a
> week or so. I also posted something in the developer forum
> inquiring about this, and received this response:
> >
> > "I do not see any harm in storing credentials as long
> as the rest of your system is properly secure as it should
> be."
> >
> > Source:(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932)
> >
> > To me this is not only concerning, but also completely
> un-acceptable. The passwords all get stored in PLAIN TEXT
> within your %appdata% directory in an XML file. This is
> particularly dangerous in multi-user environments with local
> profiles, because as we all know physical access to a
> computer means it's elementary at best to acquire
> information off it. Permissions only work if your operating
> system chooses to respect them, not to mention how simple it
> is *even today* to maliciously get around windows networks
> using pass-the-hash along with network token manipulation
> techniques.
> >
> > There has even been a bug filed that draws out great
> ways to psudo-mitigate this using built-in windows API
> calls, but it doesn't seem to really be going anywhere. This
> really concerns me because a number of my coworkers and
> friends were un-aware of this behavior, and I didn't even
> know about it until I'd been using it for a year or so. All
> I really want to see is at the very least just some warning
> that Filezilla does this.
> >
> > Filezilla bug report:(http://trac.filezilla-project.org/ticket/5530)
> >
> > My feelings have been said a lot more eloquently than
> I could ever hope to in that bug report:
> >
> > "Whoever keeps closing this issue and/or dismissing
> its importance understands neither security nor logical
> argument. I apologize for the slam, but it is undeniably
> true. Making the same mistake over and over does not make it
> any less of a mistake. The fact that a critical deficiency
> has existed for years does not make it any less critical a
> deficiency. Similarly, the fact that there are others
> (pidgin) who indulge in the same faulty reasoning does not
> make the reasoning any more sound." ~btrower
> >
> > While it's true you can mitigate this behavior, why
> should it even be enabled by default? The total lapse in
> security for such a feature-rich, robust piece of software
> is quite disturbing, and I don't understand how the
> developers don't think this is an issue.
> >
> > I just wanted to gauge the FD community on this issue,
> because with enough backing and explanation from the
> security community as to why this is a problem, this issue
> may finally be resolved (it's been doing this for years
> now).
> >
> > Regards,
> > Ryan Sears
> >
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ