Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)

I disagree, read the RFC. There are plenty of more secure FTP 
clients such as the OpenSSH.com groups proactive secure Secure FTP 
(sftp) implementation of FTP.

J

On Fri, 18 Apr 2008 15:36:34 -0400 "Garrett M. Groff" 
<groffg@gmgdesign.com> wrote:
> That issue is inherent in the FTP protocol, not FileZilla.
>
> Resolution: set up FTP server to use either SFTP or FTPS.
>
> - G
>
>
> ----- Original Message ----- 
> From: "Joey Mengele" <joey.mengele@hushmail.com>
> To: <full-disclosure@lists.grok.org.uk>; <hardwick.carl@gmail.com>
> Sent: Friday, April 18, 2008 3:21 PM
> Subject: Re: [Full-disclosure] Security issue in Filezilla 
> 3.0.9.2:passwords 
> are stored in plain text (sitemanager.xml)
>
>
> > I have noticed a similar, yet much more severe flaw in Filezilla.
> > When logging in to a remote server, Filezilla will send the
> > password in clear text without encrypting it. This means every
> > machine on the internet that it routes through can intercept it.
> > Same flaw, much more serious consequences, since, who has access 
> to
> > your personal PC anyway?
> >
> > J
> >
> > On Fri, 18 Apr 2008 15:09:18 -0400 carl hardwick
> > <hardwick.carl@gmail.com> wrote:
> > > A security issue in Filezilla 3.0.9.2 (and previous versions)
> > > allows
> > > local users to retrieve all saved passwords because they're 
> stored
> > > in
> > > a plain text sitemanager.xml
> > >
> > > <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
> > > <FileZilla3>
> > >    <Servers>
> > >        <Server>
> > >            <Host>ftpspace.domain.com</Host>
> > >            <Port>21</Port>
> > >            <Protocol>0</Protocol>
> > >            <Type>0</Type>
> > >            <Logontype>1</Logontype>
> > >            <User>user@domain.com</User>
> > >            <Pass>I'mAPlainTextPassword</Pass>
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > --
> > Love tea? Click and drink in fine teas from around the world.
> http://tagline.hushmail.com/fc/Ioyw6h4dQrpDm7lVybi3tCFHWrTmyaROe9Wz
> HSGYBdQQdStCmOcdVO/
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

--
Self-Employed? Need a Health Plan?  Click here to get self-employed health 
insurance.
http://tagline.hushmail.com/fc/Ioyw6h4dO2cCFhf30yfrEmvtuogkivsLXdqjo6vqX4h6CuwtZdDLw0/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/