#5155 closed Bug report (rejected)
Password in plain text in 3.3.1
Reported by: | Dale Ullrich | Owned by: | |
---|---|---|---|
Priority: | low | Component: | FileZilla Client |
Keywords: | security risk | Cc: | |
Component version: | Operating system type: | Windows | |
Operating system version: | WinXP Professional |
Description
Add a site via Site Manager and the password is stored in the sitemanager.xml file in plain text:
<Server>
<Host>testhost</Host>
<Port>21</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>testuser</User>
<Pass>testpwd</Pass>
<Logontype>1</Logontype>
<TimezoneOffset>0</TimezoneOffset>
<PasvMode>MODE_DEFAULT</PasvMode>
<MaximumMultipleConnections>0</MaximumMultipleConnections>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
<Name>test_security</Name>
<Comments />
<LocalDir />
<RemoteDir />
<SyncBrowsing>0</SyncBrowsing>
test_security
</Server>
Build information:
Compiled for: i586-pc-mingw32msvc
Compiled on: x86_64-unknown-linux-gnu
Build date: 2010-01-03
Compiled with: i586-mingw32msvc-gcc(GCC) 4.2.1-sjlj (mingw32-2)
Compiler flags: -g -O2 -Wall -g -fexceptions
Linked against:
wxWidgets: 2.8.10
GnuTLS: 2.8.3
Change History (5)
comment:1 by , 15 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:2 by , 15 years ago
Keywords: | security risk removed |
---|---|
Priority: | critical → low |
comment:3 by , 15 years ago
Okay, so my searching skills need some work... In any case, OS security isn't security. I'll be removing FileZilla client from my system. The older versions encrypted the passwords, at least obfuscated them in some manner.
comment:4 by , 15 years ago
Keywords: | security risk added |
---|---|
Priority: | low → normal |
Resolution: | duplicate |
Status: | closed → reopened |
Type: | Bug report → Feature request |
I'd like to chime in here and give a +1 for FileZilla doing something to encrypt the sitemanager.xml file.
I think its hugely unhelpful and frustrating for the FileZilla devs to refuse to enter into debate on this subject and constantly regurgitate the argument that once your system is infected by malware then an encrypted sitemanager.xml will not help your sites being hacked/compromised.
It is totally, hopelessly, uselessly idealistic to simply state that it's the responsibility of the OS to protect the files. The actual situation on the ground is that computers get compromised all the time, even when OS based counter measures are in place and anything reasonable that individual programs can do to reduce the risk (even slightly) should be done.
For example, I store all my passwords in a KeePass database. This means that I don't need to type in passwords, I can just copy and paste them, and have them protected whilst in the clipboard. If FileZilla site manager "master password" was in a KeePass database then it would be unlikely to be compromised even if a trojan key logger was active. This is just one use case of hundreds that would enable an encrypted FileZilla to operate much more securely.
And what about freelancers and contractors that may be using their machine at an organisation and they'd rather their list of clients (i.e. site manager entries) isn't plainly visible to anyone who stops by their desk?
Please lose the idealism, and make FileZilla more secure.
comment:5 by , 15 years ago
Resolution: | → rejected |
---|---|
Status: | reopened → closed |
For example, I store all my passwords in a KeePass database. This means
that I don't need to type in passwords, I can just copy and paste them,
and have them protected whilst in the clipboard.
If I were malware author, I'd jump out of pure joy if I'd gain access to a machine that is running KeePass. I'd no longer have to search the system for passwords, I would just observe what's going in and out of KeePass and as result gaining access to all passwords for free.
And what about freelancers and contractors that may be using their machine at
an organisation and they'd rather their list of clients (i.e. site manager
entries) isn't plainly visible to anyone who stops by their desk?
Kiosk mode. See fzdefaults.xml.example
Thank you for using the search function.
#1373
#2935
#4507
#4731