Full Disclosure mailing list archives
Re: Filezilla's silent caching of user's credentials
From: Chris Evans <scarybeasts () gmail com>
Date: Wed, 13 Oct 2010 15:32:14 -0700
Finally, a note of sanity in this thread. On Tue, Oct 12, 2010 at 8:33 PM, Mutiny <mutiny () kevinbeardsucks com> wrote:
The issue is that someone gained access to that file. You sharing your drives over the internet with read privileges? You have other vulnerable software being leveraged to read that file? Would you prefer they MD5'd it? It sounds like your issue is that your password is stored. I mean, they moved your encrypted password from passwd to shadow for a reason, but that doesn't change the fact that it's stored and if someone doesn't need access to shadow or passwd, they shouldn't have it. Stop logging into your FTP server from a public terminal with Filezilla. On 10/9/2010 11:00 AM, Vipul Agarwal wrote:That's a live and good example. I hope that now they'll understand the importance of the issue. On Fri, Oct 8, 2010 at 11:28 AM, Shirish Padalkar <shirish.padalkar () tcs com>wrote:http://www.google.com/#sclient=psy&hl=en&site=&source=hp&q=inurl:recentservers.xml&oq=inurl:recentservers.xml:) From: Ryan Sears <rdsears () mtu edu> To: full-disclosure <full-disclosure () lists grok org uk> Date: 10/08/2010 08:52 AM Subject: [Full-disclosure] Filezilla's silent caching of user's credentials Sent by: full-disclosure-bounces () lists grok org uk ------------------------------ Hi all, As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your credentials for every hostyouconnect to, without either warning or ability to change this withouteditingan XML file. There have been quite a few bug and features requestsfiled,and they all get closed or rejected within a week or so. I also posted something in the developer forum inquiring about this, and received this response: "I do not see any harm in storing credentials as long as the rest ofyoursystem is properly secure as it should be." Source:(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932) To me this is not only concerning, but also completely un-acceptable.Thepasswords all get stored in PLAIN TEXT within your %appdata% directoryin anXML file. This is particularly dangerous in multi-user environments with local profiles, because as we all know physical access to a computermeansit's elementary at best to acquire information off it. Permissions onlyworkif your operating system chooses to respect them, not to mention howsimpleit is *even today* to maliciously get around windows networks using pass-the-hash along with network token manipulation techniques. There has even been a bug filed that draws out great ways topsudo-mitigatethis using built-in windows API calls, but it doesn't seem to really be going anywhere. This really concerns me because a number of my coworkersandfriends were un-aware of this behavior, and I didn't even know about it until I'd been using it for a year or so. All I really want to see is atthevery least just some warning that Filezilla does this. Filezilla bug report:(http://trac.filezilla-project.org/ticket/5530) My feelings have been said a lot more eloquently than I could ever hopetoin that bug report: "Whoever keeps closing this issue and/or dismissing its importance understands neither security nor logical argument. I apologize for theslam,but it is undeniably true. Making the same mistake over and over doesnotmake it any less of a mistake. The fact that a critical deficiency has existed for years does not make it any less critical a deficiency. Similarly, the fact that there are others (pidgin) who indulge in thesamefaulty reasoning does not make the reasoning any more sound." ~btrower While it's true you can mitigate this behavior, why should it even be enabled by default? The total lapse in security for such a feature-rich, robust piece of software is quite disturbing, and I don't understand howthedevelopers don't think this is an issue. I just wanted to gauge the FD community on this issue, because withenoughbacking and explanation from the security community as to why this is a problem, this issue may finally be resolved (it's been doing this foryearsnow). Regards, Ryan Sears _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Filezilla's silent caching of user's credentials, (continued)
- Re: Filezilla's silent caching of user's credentials dave b (Oct 16)
- Re: Filezilla's silent caching of user's credentials coderman (Oct 21)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 26)
- Re: Filezilla's silent caching of user's credentials Vipul Agarwal (Oct 09)
- Re: Filezilla's silent caching of user's credentials Brandon McGinty (Oct 11)
- Re: Filezilla's silent caching of user's credentials rdsears (Oct 11)
- Re: Filezilla's silent caching of user's credentials Mutiny (Oct 13)
- Re: Filezilla's silent caching of user's credentials Chris Evans (Oct 13)
- Re: Filezilla's silent caching of user's credentials Ryan Sears (Oct 13)
- Re: Filezilla's silent caching of user's credentials Valdis . Kletnieks (Oct 13)