Opened 11 years ago

Closed 9 years ago

#8237 closed Bug report (duplicate)

Encrypt passwords

Reported by: ftpuserd Owned by:
Priority: critical Component: FileZilla Client
Keywords: password encrypt security Cc: yerenkov.scott@…
Component version: Operating system type: Windows
Operating system version: All

Description

Just found out about this due to a recurrent series of website hacks which seem on investigation to be to this error.

It's really lax. Even if FZ is not being used at the time, any virus or malware can scoop up the ftp addresses, usernames and passwords.

I have been recommending FZ for years, but I am now putting out an advisory to stop using it as a matter of urgency. For those using it to manage a lot of sites, a single infection on a client machine could trigger weeks of server clean-up work.

And I'm frankly shocked by the developer's response to tickets and forum posts on this over the years. It borders on negligence for such an otherwise excellent tool.

Change History (3)

comment:1 by AskDaddy, 11 years ago

Resolution: fixed
Status: newclosed

Hey son! If it would be a security issue, you should be able do decrypt the password below.

01c4480691de06bd5a279e36057217a5

comment:2 by FileMan, 9 years ago

Cc: yerenkov.scott@… added
Resolution: fixed
Status: closedreopened

This is definitely a major weakness in the software, and the issue is not resolved if I am able to go into "%appdata%\FileZilla\sitemanager.xml" and get this sort of information (I typed in some random information into the Site Manager in the GUI of FileZilla and this file was generated with all of the information completely in plain text):

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<FileZilla3>

<Servers>

<Server>

<Host>123</Host>
<Port>27</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>123</User>
<Pass>123asdASD</Pass>
<Logontype>1</Logontype>
<TimezoneOffset>0</TimezoneOffset>
<PasvMode>MODE_DEFAULT</PasvMode>
<MaximumMultipleConnections>0</MaximumMultipleConnections>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
<Name>New site</Name>
<Comments />
<LocalDir />
<RemoteDir />
<SyncBrowsing>0</SyncBrowsing>New site

</Server>

</Servers>

</FileZilla3>

--
I am sure that there is a very simple solution to this, such as encrypting it and then storing the encryption key (protected by the user's username and password) on the site in their account. Or to offer the ability at least to pay for some space to store keys on the site. And even if storing on the site would be a bad idea, at least offering encryption and then giving an encryption key to maybe be stored on a USB stick or something.

comment:3 by Alexander Schuch, 9 years ago

Resolution: duplicate
Status: reopenedclosed

This is a duplicate of either ticket:5530 or ticket:8173, depending on the facility used for encryption.

Note: See TracTickets for help on using tickets.