Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Filezilla's silent caching of user's credentials
From: Hurgel Bumpf <l0rd_lunatic () yahoo com>
Date: Fri, 8 Oct 2010 12:46:06 +0100 (BST)

No one really cares about session keys or credentials:

http://www.google.com/search?q=%22Apache+Server+Status+for%22+%22Server+Version%22+-%22How+to%22+-Guide+-Tuning&hl=en&biw=1430&bih=789&ei=KQOvTPv-Oo_Jswb7oJHTDQ&start=10&sa=N

27,800 hits..

This is a missconfiguration done by the administrator. 

So i like that quote:

"I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be."


"Let He Who Is Without Sin Cast The First Stone"




--- Jeffrey Walton <noloader () gmail com> schrieb am Fr, 8.10.2010:

Von: Jeffrey Walton <noloader () gmail com>
Betreff: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
An: "Ryan Sears" <rdsears () mtu edu>
CC: "full-disclosure" <full-disclosure () lists grok org uk>
Datum: Freitag, 8. Oktober, 2010 02:25 Uhr
Hi Ryan,

No inline comments. Sorry (I wanted to reorder topics).

I just wanted to gauge the FD community on this issue,
because
with enough backing and explanation from the security
community
as to why this is a problem, this issue may finally be
resolved (it's
been doing this for years now)
This is an alarming trend in open source software, and
diametrically
opposed to the claims of "more eyes equates to more
secure"", "open
source software is more secure", and "open source software
fixes bugs
faster than other software models".

Is also blows away the theory of "Darwinian Software
Evolution": good,
robust, secure software thrives and lesser software dies.
Filezilla
and the Python example below are "proofs by counter
example". It
appears the model in use is greatly influenced by
popularity, which
makes it more appropriate for politicians (who tend to lie
for a
living) ;)

"I do not see any harm in storing credentials as long
as the rest
of your system is properly secure as it should be."
Source:(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932)
That should earn the project a Pwnie Award nomination for
lamest
vendor response (http://pwnies.com/).

To me this is not only concerning, but also completely
un-acceptable.
Agreed.

Other recent similar examples of this sort of response by
open source
projects include "Python ssl handling could be better...",
where the
Python Standard Library did not (still does not?) verify
the hostname
in the certificate with CN or SubAlt name
(http://seclists.org/fulldisclosure/2010/Sep/381). The
python bug was
filed in 2007 (http://bugs.python.org/issue1589).

Jeff

On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears <rdsears () mtu edu>
wrote:
Hi all,

As some of you may or may not be aware, the popular
(and IMHO one of the best) FTP/SCP program Filezilla caches
your credentials for every host you connect to, without
either warning or ability to change this without editing an
XML file. There have been quite a few bug and features
requests filed, and they all get closed or rejected within a
week or so. I also posted something in the developer forum
inquiring about this, and received this response:

"I do not see any harm in storing credentials as long
as the rest of your system is properly secure as it should
be."

Source:(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932)

To me this is not only concerning, but also completely
un-acceptable. The passwords all get stored in PLAIN TEXT
within your %appdata% directory in an XML file. This is
particularly dangerous in multi-user environments with local
profiles, because as we all know physical access to a
computer means it's elementary at best to acquire
information off it. Permissions only work if your operating
system chooses to respect them, not to mention how simple it
is *even today* to maliciously get around windows networks
using pass-the-hash along with network token manipulation
techniques.

There has even been a bug filed that draws out great
ways to psudo-mitigate this using built-in windows API
calls, but it doesn't seem to really be going anywhere. This
really concerns me because a number of my coworkers and
friends were un-aware of this behavior, and I didn't even
know about it until I'd been using it for a year or so. All
I really want to see is at the very least just some warning
that Filezilla does this.

Filezilla bug report:(http://trac.filezilla-project.org/ticket/5530)

My feelings have been said a lot more eloquently than
I could ever hope to in that bug report:

"Whoever keeps closing this issue and/or dismissing
its importance understands neither security nor logical
argument. I apologize for the slam, but it is undeniably
true. Making the same mistake over and over does not make it
any less of a mistake. The fact that a critical deficiency
has existed for years does not make it any less critical a
deficiency. Similarly, the fact that there are others
(pidgin) who indulge in the same faulty reasoning does not
make the reasoning any more sound." ~btrower

While it's true you can mitigate this behavior, why
should it even be enabled by default? The total lapse in
security for such a feature-rich, robust piece of software
is quite disturbing, and I don't understand how the
developers don't think this is an issue.

I just wanted to gauge the FD community on this issue,
because with enough backing and explanation from the
security community as to why this is a problem, this issue
may finally be resolved (it's been doing this for years
now).

Regards,
Ryan Sears


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]