Opened 19 years ago
Last modified 11 years ago
#2400 closed Feature request
Vulnerability: FileZilla Server Interface Password
Reported by: | z1of10 | Owned by: | |
---|---|---|---|
Priority: | low | Component: | FileZilla Server |
Keywords: | Cc: | z1of10, Tim Kosse | |
Component version: | Operating system type: | ||
Operating system version: |
Description
This request is in reference to a Bug Tracker artifact
about the plain text password for the FileZilla Server
Interface. Refer to the following URL for the artifact:
https://sourceforge.net/tracker/?group_id=21558&atid=372241&func=detail&aid=1275925
Basically, it has been stated that the interface
password appearing in plain text is by design, due to
the authentication method used between server and
interface.
While it is possible to maintain security of the server
by ensuring proper file/folder permissions are set,
thus denying access to the file by non-administrators,
this would only work if everything remained on the same
system. If one were to use the interface from a remote
system, through the Internet, and the remote system did
not have sufficient file/folder permissions, a security
risk then arises. It would theoretically be possible
for anyone to obtain the server administrator password,
access the server, change any user password they
wanted, then log in as that user and retrieve any file
that user has access to.
In order to plug this hole, local administrators would
have to make sure there is absolutely no possible way
to access the server configuration file by
non-administrators. Remote administrators would have
to either do the same for the interface configuration
file, or remember to delete or edit the interface
configuration file to ensure the password cannot be
obtained by non-administrators.
As stated in the referenced Bug Tracker artifact, an
MD5 hash for this password is not possible. My request
is simply what about another obfuscation method? I've
dabbled with obfuscation in Perl scripts I've written.
I know there are many methods of encoding secret text.
The e-mail server I use supports a secure, encoded
challenge-response authentication, which suggests it is
possible to encode secret text used for authentication.
So, isn't it possible that there is at least one
obfuscation method that could work with the current
authentication method in FileZilla Server and its
interface?
Obfuscation won't work as FileZilla Server is open source
software. Anyone could just decode the obfuscated password.
First about remote administration:
Whenever you have automatic login, the login details have to
be stored somewhere. If they are stored somewhere, that
means other programs can read the login data. The format of
the data doesn't matter, with the help of the source of FZS,
the data can always be decoded.
So what is needed are either proper access rights for the
interface configuration files or just don't save the
password at all.
Now the server where the password resides:
As said before, obfuscation won't work. Only possible
solution would be to hash the password and encrypt the auth
process using assymetric encryption, send the password over
the encrypted channel, hash it as well and compare it to the
stored hash. Implementing this would require a lot of work.
Yet this still does not prevent the problems arising from
improper file access rights.
Again, the best solution is to set proper file access rights.