lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 8 Oct 2010 09:21:14 -0400
From: Charles Morris <cmorris@...odu.edu>
To: Ryan Sears <rdsears@....edu>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Filezilla's silent caching of user's
	credentials

On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears <rdsears@....edu> wrote:
> Hi all,
>
> As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your credentials for every host you connect to, without either warning or ability to change this without editing an XML file. There have been quite a few bug and features requests filed, and they all get closed or rejected within a week or so. I also posted something in the developer forum inquiring about this, and received this response:
>
> "I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be."
>
> Source:(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932)
>
> To me this is not only concerning, but also completely un-acceptable. The passwords all get stored in PLAIN TEXT within your %appdata% directory in an XML file. This is particularly dangerous in multi-user environments with local profiles, because as we all know physical access to a computer means it's elementary at best to acquire information off it. Permissions only work if your operating system chooses to respect them, not to mention how simple it is *even today* to maliciously get around windows networks using pass-the-hash along with network token manipulation techniques.
>

I reported a similar issue in a certain SSH client a few years ago, it
was keeping the passphrase as cleartext in memory
for the duration of the session as well as an arbitrarily long period
after you disconnect but keep the window open.

They added protections like a simple encoding for the credentials
where they are stored, and nulling out the region
when you ended the session. They still wanted to keep the credentials
intact during the session in order to quickly
create new terminal windows.

This issue was much less serious than storing the cleartext in a file,
and they thought it appropriate to add protections.

>
> I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now).
>

It IS an issue. Plain and simple.

That type of developer response really gets me.

Personally I won't be allowing Filezilla on any of my systems even if
they do eventually patch this issue..
who knows what else is lurking behind the scenes?

Cheers,
Charles

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ