| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080418194244.64B2D11803E@mailserver5.hushmail.com> Date: Fri, 18 Apr 2008 15:42:44 -0400 From: "Joey Mengele" <joey.mengele@...hmail.com> To: full-disclosure@...ts.grok.org.uk, groffg@...design.com Subject: Re: Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml) I disagree, read the RFC. There are plenty of more secure FTP clients such as the OpenSSH.com groups proactive secure Secure FTP (sftp) implementation of FTP. J On Fri, 18 Apr 2008 15:36:34 -0400 "Garrett M. Groff" <groffg@...design.com> wrote: >That issue is inherent in the FTP protocol, not FileZilla. > >Resolution: set up FTP server to use either SFTP or FTPS. > >- G > > >----- Original Message ----- >From: "Joey Mengele" <joey.mengele@...hmail.com> >To: <full-disclosure@...ts.grok.org.uk>; <hardwick.carl@...il.com> >Sent: Friday, April 18, 2008 3:21 PM >Subject: Re: [Full-disclosure] Security issue in Filezilla >3.0.9.2:passwords >are stored in plain text (sitemanager.xml) > > >>I have noticed a similar, yet much more severe flaw in Filezilla. >> When logging in to a remote server, Filezilla will send the >> password in clear text without encrypting it. This means every >> machine on the internet that it routes through can intercept it. >> Same flaw, much more serious consequences, since, who has access >to >> your personal PC anyway? >> >> J >> >> On Fri, 18 Apr 2008 15:09:18 -0400 carl hardwick >> <hardwick.carl@...il.com> wrote: >>>A security issue in Filezilla 3.0.9.2 (and previous versions) >>>allows >>>local users to retrieve all saved passwords because they're >stored >>>in >>>a plain text sitemanager.xml >>> >>><?xml version="1.0" encoding="UTF-8" standalone="yes" ?> >>><FileZilla3> >>> <Servers> >>> <Server> >>> <Host>ftpspace.domain.com</Host> >>> <Port>21</Port> >>> <Protocol>0</Protocol> >>> <Type>0</Type> >>> <Logontype>1</Logontype> >>> <User>user@...ain.com</User> >>> <Pass>I'mAPlainTextPassword</Pass> >>> >>>_______________________________________________ >>>Full-Disclosure - We believe in it. >>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>Hosted and sponsored by Secunia - http://secunia.com/ >> >> -- >> Love tea? Click and drink in fine teas from around the world. >> >http://tagline.hushmail.com/fc/Ioyw6h4dQrpDm7lVybi3tCFHWrTmyaROe9Wz >HSGYBdQQdStCmOcdVO/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -- Self-Employed? Need a Health Plan? Click here to get self-employed health insurance. http://tagline.hushmail.com/fc/Ioyw6h4dO2cCFhf30yfrEmvtuogkivsLXdqjo6vqX4h6CuwtZdDLw0/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists