Opened 9 years ago

Closed 17 months ago

#6533 closed Bug report (wontfix)

FileZilla-Server endangers SSL-connections!

Reported by: Alex Owned by:
Priority: normal Component: FileZilla Server
Keywords: Cc:
Component version: Operating system type: Windows
Operating system version: 5.1.2600

Description

After creation of the Security Certificate via FileZilla-Server v0.9.37 beta keeps PRiVATE_KEY into the Security_Certificate!
It is wrong and is inadmissible!
As a result of creation of the Security Certificate 2 files should be created:

  1. A file containing PRiVATE_KEY, for example 'pgp1.skey'
  2. A file containing SECURiTY_CERTiFiCATE.

(!) Inside of the Security Certificate should NOT be located PRiVATE KEY!
SECURiTY CERTiFiCATE is intended for free distribution in Internet and should NOT contain confidential data!
PRiVATE KEY should be stored only at the Owner of the Security Certificate.

This dangerous mistake is necessary for correcting URGENTLY since FileZilla Server subjects to the big risk of many users, exchanging confidential data.

I have attached the sample of the CERTIFICATE created by means of FileZilla-Server v0.9.37 beta (inside of a file contains RSA_PRiVATE_KEY).

P.S.
As a whole I express gratitude for very useful and convenient program FileZilla FTP Client!

Attachments (1)

example_com.crt (1.9 KB) - added by Alex 9 years ago.
Security_Certificate contains RSA_PRiVATE_KEY !!!

Download all attachments as: .zip

Change History (4)

Changed 9 years ago by Alex

Attachment: example_com.crt added

Security_Certificate contains RSA_PRiVATE_KEY !!!

comment:1 Changed 9 years ago by Tim Kosse

Priority: criticalnormal

Not critical as this bug is not a remotely exploitable security vulnerability.

comment:2 Changed 3 years ago by Kurt McKee

Triage suggestion

There has been no movement on this ticket in 6 years.

I recommend closing the ticket as "wontfix" (unless it's been fixed, of course!).

comment:3 Changed 17 months ago by Kurt McKee

Resolution: wontfix
Status: newclosed

Hopefully this has been fixed in the last eight years, but since there have been no additional changes to this ticket, I'm closing it.

Note: See TracTickets for help on using tickets.