Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Filezilla's silent caching of user's credentials
From: Michael Wood <itnetsec () gmail com>
Date: Fri, 8 Oct 2010 01:42:15 -0400

I agree.  I've always wondered why this information was stored in plain
text...baffles me

Sent from my Droid Incredible
Virtuous ROM v3.0.1
On Oct 7, 2010 11:22 PM, "Ryan Sears" <rdsears () mtu edu> wrote:
Hi all,

As some of you may or may not be aware, the popular (and IMHO one of the
best) FTP/SCP program Filezilla caches your credentials for every host you
connect to, without either warning or ability to change this without editing
an XML file. There have been quite a few bug and features requests filed,
and they all get closed or rejected within a week or so. I also posted
something in the developer forum inquiring about this, and received this

"I do not see any harm in storing credentials as long as the rest of your
system is properly secure as it should be."


To me this is not only concerning, but also completely un-acceptable. The
passwords all get stored in PLAIN TEXT within your %appdata% directory in an
XML file. This is particularly dangerous in multi-user environments with
local profiles, because as we all know physical access to a computer means
it's elementary at best to acquire information off it. Permissions only work
if your operating system chooses to respect them, not to mention how simple
it is *even today* to maliciously get around windows networks using
pass-the-hash along with network token manipulation techniques.

There has even been a bug filed that draws out great ways to
psudo-mitigate this using built-in windows API calls, but it doesn't seem to
really be going anywhere. This really concerns me because a number of my
coworkers and friends were un-aware of this behavior, and I didn't even know
about it until I'd been using it for a year or so. All I really want to see
is at the very least just some warning that Filezilla does this.

Filezilla bug report:(http://trac.filezilla-project.org/ticket/5530)

My feelings have been said a lot more eloquently than I could ever hope to
in that bug report:

"Whoever keeps closing this issue and/or dismissing its importance
understands neither security nor logical argument. I apologize for the slam,
but it is undeniably true. Making the same mistake over and over does not
make it any less of a mistake. The fact that a critical deficiency has
existed for years does not make it any less critical a deficiency.
Similarly, the fact that there are others (pidgin) who indulge in the same
faulty reasoning does not make the reasoning any more sound." ~btrower

While it's true you can mitigate this behavior, why should it even be
enabled by default? The total lapse in security for such a feature-rich,
robust piece of software is quite disturbing, and I don't understand how the
developers don't think this is an issue.

I just wanted to gauge the FD community on this issue, because with enough
backing and explanation from the security community as to why this is a
problem, this issue may finally be resolved (it's been doing this for years

Ryan Sears

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]