mailing list archives
RE: FileZilla weakly-encrypted password vulnerability: advisory + PoC
From: "MacIntyre, Lawrence Paul" <macintyrelp () ornl gov>
Date: Wed, 07 Sep 2005 08:36:36 -0400
How hard would it be to use a passphrase to encrypt the passwords?
From: Nick Boyce [mailto:nick.boyce () gmail com]
Sent: Monday, September 05, 2005 12:57 PM
To: bugtraq () securityfocus com
Subject: Re: FileZilla weakly-encrypted password vulnerability: advisory
On 2 Sep 2005 13:59:49 -0000, m123303[ - at - ]richmond.ac.uk wrote:
There exists a problem in the way the XOR encryption is implemented
because the same cipher key is always used. This key is
hard-coded, which means that anyone can analyze the source code of
the application and find it. Of course, this wouldn't be
so easy if FileZilla wasn't an open source application.
Okay .. so (assuming that's a problem) what do you suggest is done by
the FileZilla folks about this, given that we've already established
ad nauseam that the best you can ever achieve in these circumstances
is to obfuscate the key ?
Choose "Use secure mode" during the installation (this disables
FileZilla from saving passwords), lockdown your client
machines where the FileZilla client is installed,
Well, duh ... I always do this with my FileZilla installations - don't
you ? I keep precious passwords somewhere else much safer. That's
/why/ the FileZilla installer warns you about this and suggests you
use secure mode if you're on a multi-user (or otherwise untrustable)
Keeping passwords in the registry, or an XML file (or indeed anywhere
at all that doesn't in turn require yet another password to access)
can only ever be a convenience-vs-security trade-off. No matter how
"strongly" you garble the password for storage, if the source code is
available then it won't be long before someone works out how to
ungarble it - and even if the source code is *not* released it won't
slow the Bad Guys down much.
... or update to a patched version which fixes this issue (if
Um, how can the FileZilla folks patch the problem, without again
releasing the source code of the "new improved" algorithm and/or key ?