A security issue in Filezilla 3.0.9.2 (and previous versions) allows
local users to retrieve all saved passwords because they're stored in
a plain text sitemanager.xml
?xml version=1.0 encoding=UTF-8 standalone=yes ?
FileZilla3
Servers
Server
Hostftpspace.domain.com/Host
I have noticed a similar, yet much more severe flaw in Filezilla.
When logging in to a remote server, Filezilla will send the
password in clear text without encrypting it. This means every
machine on the internet that it routes through can intercept it.
Same flaw, much more serious
FTP PASSWORDS ARE STORED IN PLAINTEXT?!?!?!?!
HOLY FUCK
On Fri, Apr 18, 2008 at 2:09 PM, carl hardwick [EMAIL PROTECTED]
wrote:
A security issue in Filezilla 3.0.9.2 (and previous versions) allows
local users to retrieve all saved passwords because they're stored in
a plain text
Per the FileZilla feature page
(http://filezilla-project.org/client_features.php):
Supports FTP, FTP over SSL/TLS (FTPS) and SSH File Transfer Protocol
(SFTP)
Did you try selecting the option to use FTPS in FileZilla?
Using the plain vanilla FTP protocol in any other FTP client will yield the
Dear Groff,
On Fri, 18 Apr 2008 16:04:29 -0400 Garrett M. Groff
[EMAIL PROTECTED] wrote:
Per the FileZilla feature page
(http://filezilla-project.org/client_features.php):
Supports FTP, FTP over SSL/TLS (FTPS) and SSH File Transfer
Protocol
(SFTP)
Did you try selecting the option to use
On Fri, 18 Apr 2008 15:42:44 EDT, Joey Mengele said:
I disagree, read the RFC. There are plenty of more secure FTP
clients such as the OpenSSH.com groups proactive secure Secure FTP
(sftp) implementation of FTP.
Right, except that SFTP isn't the RFC959 protocol that lives on ports 20/21,
Valids,
On Fri, 18 Apr 2008 16:10:41 -0400 [EMAIL PROTECTED] wrote:
On Fri, 18 Apr 2008 15:42:44 EDT, Joey Mengele said:
I disagree, read the RFC. There are plenty of more secure FTP
clients such as the OpenSSH.com groups proactive secure Secure
FTP
(sftp) implementation of FTP.
Right,
On Fri, 18 Apr 2008 16:16:59 EDT, Joey Mengele said:
Then how do you explain the security offered by section 3.4.3 of
RFC959? Or did you just skip over that...
3.4.3. COMPRESSED MODE
There are three kinds of information to be sent: regular data,
sent in a byte
Valdis,
On Fri, 18 Apr 2008 16:24:13 -0400 [EMAIL PROTECTED] wrote:
3.4.3. COMPRESSED MODE
There are three kinds of information to be sent: regular
data,
sent in a byte string; compressed data, consisting of
replications or filler; and control information,
