| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <431AD61A.6040702@runawaynet.com> Date: Sun, 04 Sep 2005 04:10:18 -0700 From: Nicholas Knight <nknight@...awaynet.com> To: bugtraq@...urityfocus.com Subject: Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC m123303@...urityfocus.com wrote: > Vulnerability summary > - --------------------- > - - FileZilla client stores password using weak XOR "encryption" > - - The value of the cipher key is static (it never changes) and can > be found in the source code As I'm getting rather tired of explaining to people, you will find the same "vulnerability" in any number of programs (KMail and KNode spring to mind immediately, as I've had to recover passwords from them in the past). Developers don't intend these features as true security (note that the fact that the passwords are stored obfuscated is never advertised), but rather a deterrent against casual snoopers (like, say, a younger sibling being naughty), and reporting it isn't going to get you anything but mocked. If you want to report something *closer* to a real vulnerability, try reporting the fact that FileZilla stores the information in a public folder instead of the user's private areas. On a multi-user system shared among family members, storing the data where it belongs offers far greater deterrent at zero cost.
Powered by blists - more mailing lists