Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Full Disclosure: Re: Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)

Re: Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)

From: Garrett M. Groff <groffg_at_gmgdesign.com>
Date: Fri, 18 Apr 2008 15:36:34 -0400

That issue is inherent in the FTP protocol, not FileZilla.

Resolution: set up FTP server to use either SFTP or FTPS.

- G

----- Original Message -----
From: "Joey Mengele" <joey.mengele_at_hushmail.com>
To: <full-disclosure_at_lists.grok.org.uk>; <hardwick.carl_at_gmail.com>
Sent: Friday, April 18, 2008 3:21 PM
Subject: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords
are stored in plain text (sitemanager.xml)

>I have noticed a similar, yet much more severe flaw in Filezilla.
> When logging in to a remote server, Filezilla will send the
> password in clear text without encrypting it. This means every
> machine on the internet that it routes through can intercept it.
> Same flaw, much more serious consequences, since, who has access to
> your personal PC anyway?
>
> J
>
> On Fri, 18 Apr 2008 15:09:18 -0400 carl hardwick
> <hardwick.carl_at_gmail.com> wrote:
>>A security issue in Filezilla 3.0.9.2 (and previous versions)
>>allows
>>local users to retrieve all saved passwords because they're stored
>>in
>>a plain text sitemanager.xml
>>
>><?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
>><FileZilla3>
>> <Servers>
>> <Server>
>> <Host>ftpspace.domain.com</Host>
>> <Port>21</Port>
>> <Protocol>0</Protocol>
>> <Type>0</Type>
>> <Logontype>1</Logontype>
>> <User>user_at_domain.com</User>
>> <Pass>I'mAPlainTextPassword</Pass>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
> --
> Love tea? Click and drink in fine teas from around the world.
> http://tagline.hushmail.com/fc/Ioyw6h4dQrpDm7lVybi3tCFHWrTmyaROe9WzHSGYBdQQdStCmOcdVO/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Apr 18 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]