Opened 16 years ago
Closed 13 years ago
#4206 closed Patch (fixed)
FileZilla may submit wrong password for a anonymous account
| Reported by: | base10k | Owned by: | Nico |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Client |
| Keywords: | anonymous, password | Cc: | |
| Component version: | Operating system type: | Linux | |
| Operating system version: | Ubuntu 8.10 |
Description
When using the Quickconnect bar to connect to a server with the username "anonymous" it seems that FileZilla ignores the entered password and submits a default password.
Workarounds,
If you control the server:
- create the account with the username of "anon" instead of "anonymous".
- Configure the server to accept all passwords for an account with the username "anonymous" (not always preferable, anonymous does not mean open to all).
- Change the password of the account to match FileZilla's default anonymous password (same problem as above, this would give access to everyone using FileZilla).
If you only control the client:
- Add the account into the Site manager and select the logontype "normal", this will cause your password to be written to disk in cleartext, not preferable on shared computers (easily recovered even if deleted, unless you 'shred' the file or it is overwritten)
Notes:
FileZilla version: 3.1.2 (Linux AMD64).
I was connecting to an account using sftp. (the server was openSSH's internal-sftp, version 5.1)
Attachments (1)
Change History (8)
comment:1 by , 16 years ago
comment:2 by , 15 years ago
| Owner: | set to |
|---|---|
| Status: | new → accepted |
| Type: | Bug report → Patch |
comment:3 by , 15 years ago
| Status: | accepted → assigned |
|---|---|
| Type: | Patch → Bug report |
comment:4 by , 15 years ago
| Type: | Bug report → Patch |
|---|
Added the attached patch.
Now checks if password is blank too, before assuming logonType = ANONYMOUS.
comment:5 by , 15 years ago
Looks good, will have to wait and see if it makes a release, might take some time though
comment:7 by , 13 years ago
| Keywords: | anonymous added; lol lol lol mous removed |
|---|---|
| Operating system version: | RETARDS → Ubuntu 8.10 |
| Owner: | changed from to |
| Priority: | critical → normal |
| Status: | accepted → assigned |
| Summary: | YOU R A RETARD LOLZ!L!L!L!L!L!L!L!LL!L!L! → FileZilla may submit wrong password for a anonymous account |
comment:8 by , 13 years ago
| Resolution: | None → fixed |
|---|---|
| Status: | assigned → closed |
Thanks for the patch.
I've made a couple of changes so that empty username is still handled correctly.
Note:
See TracTickets
for help on using tickets.
I'm able to replicate the same issue with version 3.2.2.1 while setting up vsftpd to use white listed anonymous logins.
My 20c bet is on line 203 in
CServer::ParseUrl()(src/engine/server.cpp)