Ticket #4206 (closed Patch: fixed)

Opened 5 years ago

Last modified 2 years ago

FileZilla may submit wrong password for a anonymous account

Reported by: base10k Owned by: JNKCoetzee
Priority: normal Component: FileZilla Client
Keywords: anonymous,password Cc:
Operating system type: Linux Operating system version: Ubuntu 8.10

Description

When using the Quickconnect bar to connect to a server with the username "anonymous" it seems that FileZilla ignores the entered password and submits a default password.

Workarounds,

If you control the server:
- create the account with the username of "anon" instead of "anonymous".
- Configure the server to accept all passwords for an account with the username "anonymous" (not always preferable, anonymous does not mean open to all).
- Change the password of the account to match FileZilla's default anonymous password (same problem as above, this would give access to everyone using FileZilla).

If you only control the client:
- Add the account into the Site manager and select the logontype "normal", this will cause your password to be written to disk in cleartext, not preferable on shared computers (easily recovered even if deleted, unless you 'shred' the file or it is overwritten)

Notes:
FileZilla version: 3.1.2 (Linux AMD64).
I was connecting to an account using sftp. (the server was openSSH's internal-sftp, version 5.1)

Attachments

Ticket4206.patch Download (508 bytes) - added by JNKCoetzee 5 years ago.
Patch for Ticket #4206

Change History

Changed 5 years ago by buzzard

I'm able to replicate the same issue with version 3.2.2.1 while setting up vsftpd to use white listed anonymous logins.

My 20c bet is on line 203 in CServer::ParseUrl() ( src/engine/server.cpp)

Changed 5 years ago by JNKCoetzee

  • owner set to JNKCoetzee
  • status changed from new to accepted
  • type changed from Bug report to Patch

Changed 5 years ago by JNKCoetzee

  • status changed from accepted to assigned
  • type changed from Patch to Bug report

Changed 5 years ago by JNKCoetzee

Patch for Ticket #4206

Changed 5 years ago by JNKCoetzee

  • type changed from Bug report to Patch

Added the attached patch.

Now checks if password is blank too, before assuming logonType = ANONYMOUS.

Changed 5 years ago by KDJ

Looks good, will have to wait and see if it makes a release, might take some time though

Changed 3 years ago by Sworddragon

  • status changed from accepted to assigned
  • summary changed from YOU R A RETARD LOLZ!L!L!L!L!L!L!L!LL!L!L! to FileZilla may submit wrong password for a anonymous account
  • priority changed from critical to normal
  • os_version changed from RETARDS to Ubuntu 8.10
  • keywords anonymous,password added; lol lol lol mous,password removed
  • owner changed from troll to JNKCoetzee

Changed 2 years ago by codesquid

  • status changed from assigned to closed
  • resolution changed from None to fixed

Thanks for the patch.

I've made a couple of changes so that empty username is still handled correctly.

Note: See TracTickets for help on using tickets.