lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <16cd6eab0804230926i1d3783d7n5984554857506967@mail.gmail.com>
Date: Wed, 23 Apr 2008 18:26:48 +0200
From: "jipe foo" <foojipe@...il.com>
To: "Joey Mengele" <joey.mengele@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Security issue in Filezilla
	3.0.9.2:passwordsare stored in plain text (sitemanager.xml)

2008/4/22 Joey Mengele <joey.mengele@...hmail.com>:
> Valdis,
>
>
>  On Mon, 21 Apr 2008 22:53:55 -0400 Valdis.Kletnieks@...edu wrote:
>  >On Mon, 21 Apr 2008 22:31:53 EDT, Joey Mengele said:
>  >
>  >> So are you trying to suggest compression is not as secure as
>  >> encryption? Have you even *read* the RFC in question?
>  >
>  >The design goal of most compression algorithms is that *anybody*
>  >can take
>  >the compressed data and get back the original.  The design goal of
>  >most
>  >encryption is that *only the intended recipient* can decrypt and
>  >get the
>  >original data back.
>  >
>
>  I think you have your terms mixed up, insert foot here LOLOL. And
>  you didn't answer my question. Have you even *read* the RFC in
>  question? And please, no "you must work at a fast food restaurant"
>  cop outs this time.
>

Sorry for not joining this incredibly interesting conversation about
the ftp RFC ;-)
but the original post was about the security of the passwords on the support not
on the wire.

So Carl, as the default installation directory is %APPDATA%\FileZilla
and %APPDATA%
is likely to be a subdirectory of the user's %HOMEPATH% (only readable
by the corresponding
user himself), I would like to say... WTF ?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ