Opened 11 years ago

Closed 8 years ago

#4206 closed Patch (fixed)

FileZilla may submit wrong password for a anonymous account

Reported by: base10k Owned by: Nico
Priority: normal Component: FileZilla Client
Keywords: anonymous, password Cc:
Component version: Operating system type: Linux
Operating system version: Ubuntu 8.10

Description

When using the Quickconnect bar to connect to a server with the username "anonymous" it seems that FileZilla ignores the entered password and submits a default password.

Workarounds,

If you control the server:

  • create the account with the username of "anon" instead of "anonymous".
  • Configure the server to accept all passwords for an account with the username "anonymous" (not always preferable, anonymous does not mean open to all).
  • Change the password of the account to match FileZilla's default anonymous password (same problem as above, this would give access to everyone using FileZilla).

If you only control the client:

  • Add the account into the Site manager and select the logontype "normal", this will cause your password to be written to disk in cleartext, not preferable on shared computers (easily recovered even if deleted, unless you 'shred' the file or it is overwritten)

Notes:
FileZilla version: 3.1.2 (Linux AMD64).
I was connecting to an account using sftp. (the server was openSSH's internal-sftp, version 5.1)

Attachments (1)

Ticket4206.patch (508 bytes) - added by Nico 10 years ago.
Patch for Ticket #4206

Download all attachments as: .zip

Change History (8)

comment:1 Changed 10 years ago by Matthew

I'm able to replicate the same issue with version 3.2.2.1 while setting up vsftpd to use white listed anonymous logins.

My 20c bet is on line 203 in CServer::ParseUrl() (src/engine/server.cpp)

comment:2 Changed 10 years ago by Nico

Owner: set to Nico
Status: newaccepted
Type: Bug reportPatch

comment:3 Changed 10 years ago by Nico

Status: acceptedassigned
Type: PatchBug report

Changed 10 years ago by Nico

Attachment: Ticket4206.patch added

Patch for Ticket #4206

comment:4 Changed 10 years ago by Nico

Type: Bug reportPatch

Added the attached patch.

Now checks if password is blank too, before assuming logonType = ANONYMOUS.

comment:5 Changed 10 years ago by KDJ

Looks good, will have to wait and see if it makes a release, might take some time though

comment:7 Changed 8 years ago by Sworddragon

Keywords: anonymous added; lol lol lol mous removed
Operating system version: RETARDSUbuntu 8.10
Owner: changed from troll to Nico
Priority: criticalnormal
Status: acceptedassigned
Summary: YOU R A RETARD LOLZ!L!L!L!L!L!L!L!LL!L!L!FileZilla may submit wrong password for a anonymous account

comment:8 Changed 8 years ago by Tim Kosse

Resolution: Nonefixed
Status: assignedclosed

Thanks for the patch.

I've made a couple of changes so that empty username is still handled correctly.

Note: See TracTickets for help on using tickets.