Opened 10 years ago

Closed 10 years ago

Last modified 6 years ago

#5155 closed Bug report (rejected)

Password in plain text in 3.3.1

Reported by: Dale Ullrich Owned by:
Priority: low Component: FileZilla Client
Keywords: security risk Cc:
Component version: Operating system type: Windows
Operating system version: WinXP Professional

Description

Add a site via Site Manager and the password is stored in the sitemanager.xml file in plain text:

<Server>

<Host>testhost</Host>
<Port>21</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>testuser</User>
<Pass>testpwd</Pass>
<Logontype>1</Logontype>
<TimezoneOffset>0</TimezoneOffset>
<PasvMode>MODE_DEFAULT</PasvMode>
<MaximumMultipleConnections>0</MaximumMultipleConnections>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
<Name>test_security</Name>
<Comments />
<LocalDir />
<RemoteDir />
<SyncBrowsing>0</SyncBrowsing>
test_security
</Server>

Build information:
Compiled for: i586-pc-mingw32msvc
Compiled on: x86_64-unknown-linux-gnu
Build date: 2010-01-03
Compiled with: i586-mingw32msvc-gcc(GCC) 4.2.1-sjlj (mingw32-2)
Compiler flags: -g -O2 -Wall -g -fexceptions

Linked against:
wxWidgets: 2.8.10
GnuTLS: 2.8.3

Change History (5)

comment:1 Changed 10 years ago by Tim Kosse

Resolution: duplicate
Status: newclosed

Thank you for using the search function.

#1373
#2935
#4507
#4731

comment:2 Changed 10 years ago by Tim Kosse

Keywords: security risk removed
Priority: criticallow

comment:3 Changed 10 years ago by Dale Ullrich

Okay, so my searching skills need some work... In any case, OS security isn't security. I'll be removing FileZilla client from my system. The older versions encrypted the passwords, at least obfuscated them in some manner.

comment:4 Changed 10 years ago by Jed Richards

Keywords: security risk added
Priority: lownormal
Resolution: duplicate
Status: closedreopened
Type: Bug reportFeature request

I'd like to chime in here and give a +1 for FileZilla doing something to encrypt the sitemanager.xml file.

I think its hugely unhelpful and frustrating for the FileZilla devs to refuse to enter into debate on this subject and constantly regurgitate the argument that once your system is infected by malware then an encrypted sitemanager.xml will not help your sites being hacked/compromised.

It is totally, hopelessly, uselessly idealistic to simply state that it's the responsibility of the OS to protect the files. The actual situation on the ground is that computers get compromised all the time, even when OS based counter measures are in place and anything reasonable that individual programs can do to reduce the risk (even slightly) should be done.

For example, I store all my passwords in a KeePass database. This means that I don't need to type in passwords, I can just copy and paste them, and have them protected whilst in the clipboard. If FileZilla site manager "master password" was in a KeePass database then it would be unlikely to be compromised even if a trojan key logger was active. This is just one use case of hundreds that would enable an encrypted FileZilla to operate much more securely.

And what about freelancers and contractors that may be using their machine at an organisation and they'd rather their list of clients (i.e. site manager entries) isn't plainly visible to anyone who stops by their desk?

Please lose the idealism, and make FileZilla more secure.

comment:5 Changed 10 years ago by Tim Kosse

Resolution: rejected
Status: reopenedclosed

For example, I store all my passwords in a KeePass database. This means
that I don't need to type in passwords, I can just copy and paste them,
and have them protected whilst in the clipboard.

If I were malware author, I'd jump out of pure joy if I'd gain access to a machine that is running KeePass. I'd no longer have to search the system for passwords, I would just observe what's going in and out of KeePass and as result gaining access to all passwords for free.

And what about freelancers and contractors that may be using their machine at
an organisation and they'd rather their list of clients (i.e. site manager
entries) isn't plainly visible to anyone who stops by their desk?

Kiosk mode. See fzdefaults.xml.example

Note: See TracTickets for help on using tickets.