| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Sep 16 19:14:04 2005 From: tobiasu at tmux.org (Tobias Ulmer) Subject: FileZilla (client) public credentials vulnerability PASTOR ADRIAN wrote: > Title: FileZilla (client) public credentials vulnerability > Risk: Medium > Versions affected: <=2.2.15 > Credits: pagvac (Adrian Pastor) > Date found: 10th September, 2005 > Homepage: www.ikwt.com www.adrianpv.com > E-mail: m123303 [ - a t - ] richmond.ac.uk > [...] > Regards, > pagvac (Adrian Pastor) > Earth, SOLAR SYSTEM > I don't know why I even reply... But anyway, I attached a screen shot especially for you. Please read it. a) FileZilla Users most probably are the only user of the computer. This is why the default makes sense (They "work" as administrator anyways). b) There is a "secure mode" witch prevents you from saving any password at all witch is the best solution if you want to be on the safe side. c) There is an option to save the settings in the registry and ignore the xml file. Settings are stored in HKEY_CURRENT_USER witch is in fact under X:\%homepath%\username\NTUSER.DAT and is protected by the filesytem ACL. Tobias -------------- next part -------------- A non-text attachment was scrubbed... Name: filezilla_setup.png Type: image/png Size: 12444 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/125fae2c/filezilla_setup.png
Powered by blists - more mailing lists