Opened 15 years ago

Closed 12 years ago

#4206 closed Patch (fixed)

FileZilla may submit wrong password for a anonymous account

Reported by: base10k Owned by: Nico
Priority: normal Component: FileZilla Client
Keywords: anonymous, password Cc:
Component version: Operating system type: Linux
Operating system version: Ubuntu 8.10


When using the Quickconnect bar to connect to a server with the username "anonymous" it seems that FileZilla ignores the entered password and submits a default password.


If you control the server:

  • create the account with the username of "anon" instead of "anonymous".
  • Configure the server to accept all passwords for an account with the username "anonymous" (not always preferable, anonymous does not mean open to all).
  • Change the password of the account to match FileZilla's default anonymous password (same problem as above, this would give access to everyone using FileZilla).

If you only control the client:

  • Add the account into the Site manager and select the logontype "normal", this will cause your password to be written to disk in cleartext, not preferable on shared computers (easily recovered even if deleted, unless you 'shred' the file or it is overwritten)

FileZilla version: 3.1.2 (Linux AMD64).
I was connecting to an account using sftp. (the server was openSSH's internal-sftp, version 5.1)

Attachments (1)

Ticket4206.patch (508 bytes ) - added by Nico 14 years ago.
Patch for Ticket #4206

Download all attachments as: .zip

Change History (8)

comment:1 by Matthew, 14 years ago

I'm able to replicate the same issue with version while setting up vsftpd to use white listed anonymous logins.

My 20c bet is on line 203 in CServer::ParseUrl() (src/engine/server.cpp)

comment:2 by Nico, 14 years ago

Owner: set to Nico
Status: newaccepted
Type: Bug reportPatch

comment:3 by Nico, 14 years ago

Status: acceptedassigned
Type: PatchBug report

by Nico, 14 years ago

Attachment: Ticket4206.patch added

Patch for Ticket #4206

comment:4 by Nico, 14 years ago

Type: Bug reportPatch

Added the attached patch.

Now checks if password is blank too, before assuming logonType = ANONYMOUS.

comment:5 by KDJ, 14 years ago

Looks good, will have to wait and see if it makes a release, might take some time though

comment:7 by Sworddragon, 12 years ago

Keywords: anonymous added; lol lol lol mous removed
Operating system version: RETARDSUbuntu 8.10
Owner: changed from troll to Nico
Priority: criticalnormal
Status: acceptedassigned
Summary: YOU R A RETARD LOLZ!L!L!L!L!L!L!L!LL!L!L!FileZilla may submit wrong password for a anonymous account

comment:8 by Tim Kosse, 12 years ago

Resolution: Nonefixed
Status: assignedclosed

Thanks for the patch.

I've made a couple of changes so that empty username is still handled correctly.

Note: See TracTickets for help on using tickets.