Opened 10 years ago

Closed 2 years ago

#6533 closed Bug report (wontfix)

FileZilla-Server endangers SSL-connections!

Reported by: Alex Owned by:
Priority: normal Component: FileZilla Server
Keywords: Cc:
Component version: Operating system type: Windows
Operating system version: 5.1.2600

Description

After creation of the Security Certificate via FileZilla-Server v0.9.37 beta keeps PRiVATE_KEY into the Security_Certificate!
It is wrong and is inadmissible!
As a result of creation of the Security Certificate 2 files should be created:

  1. A file containing PRiVATE_KEY, for example 'pgp1.skey'
  2. A file containing SECURiTY_CERTiFiCATE.

(!) Inside of the Security Certificate should NOT be located PRiVATE KEY!
SECURiTY CERTiFiCATE is intended for free distribution in Internet and should NOT contain confidential data!
PRiVATE KEY should be stored only at the Owner of the Security Certificate.

This dangerous mistake is necessary for correcting URGENTLY since FileZilla Server subjects to the big risk of many users, exchanging confidential data.

I have attached the sample of the CERTIFICATE created by means of FileZilla-Server v0.9.37 beta (inside of a file contains RSA_PRiVATE_KEY).

P.S.
As a whole I express gratitude for very useful and convenient program FileZilla FTP Client!

Attachments (1)

example_com.crt (1.9 KB ) - added by Alex 10 years ago.
Security_Certificate contains RSA_PRiVATE_KEY !!!

Download all attachments as: .zip

Change History (4)

by Alex, 10 years ago

Attachment: example_com.crt added

Security_Certificate contains RSA_PRiVATE_KEY !!!

comment:1 by Tim Kosse, 10 years ago

Priority: criticalnormal

Not critical as this bug is not a remotely exploitable security vulnerability.

comment:2 by Kurt McKee, 3 years ago

Triage suggestion

There has been no movement on this ticket in 6 years.

I recommend closing the ticket as "wontfix" (unless it's been fixed, of course!).

comment:3 by Kurt McKee, 2 years ago

Resolution: wontfix
Status: newclosed

Hopefully this has been fixed in the last eight years, but since there have been no additional changes to this ticket, I'm closing it.

Note: See TracTickets for help on using tickets.