Security

Post all HTML related questions here. No support.

Moderator: Project members

Post Reply
Message
Author
Deyssenroth
500 Command not understood
Posts: 2
Joined: 2013-02-28 15:48
First name: Hans

Security

#1 Post by Deyssenroth » 2013-02-28 15:56

FielZilla creates a folder unter user->appdata->roaming. In this folder there is a file called sitemanager.xml und here I see my password in clear text. A hacker (or trojaner) on my PC can use this password and can overwrite my websites!

Please change this.

Thanks and best wishes,

Hans

User avatar
botg
Site Admin
Posts: 33162
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Security

#2 Post by botg » 2013-02-28 21:28

And? Even if no passwords are stored, a hacker (or trojaner) on your PC can get your passwords the moment you enter them. You need to prevent infection in the first place.

User avatar
boco
Contributor
Posts: 25276
Joined: 2006-05-01 03:28
Location: Germany

Re: Security

#3 Post by boco » 2013-02-28 21:31

Once a hacker (or trojaner) gets onto your PC it's too late already.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Deyssenroth
500 Command not understood
Posts: 2
Joined: 2013-02-28 15:48
First name: Hans

Re: Security

#4 Post by Deyssenroth » 2013-03-01 13:20

botg wrote:And? Even if no passwords are stored, a hacker (or trojaner) on your PC can get your passwords the moment you enter them. You need to prevent infection in the first place.
--------

That's obvious. But many trojaner are not recognized in the first step and some ar so sophisticated that they never will be detected. I think the FileZilla programmers should encrypt the password on this file.

User avatar
boco
Contributor
Posts: 25276
Joined: 2006-05-01 03:28
Location: Germany

Re: Security

#5 Post by boco » 2013-03-02 22:30

And you really think such a sophisticated trojan will be stopped by a simple obfuscation in the settings file?
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

pentester
500 Command not understood
Posts: 3
Joined: 2013-03-12 11:32
First name: Lion
Last name: MSGSYSTEMS

Re: Security

#6 Post by pentester » 2013-03-12 11:46

how about crypting passwort by using a master password which is set by the user and is NOT stored at all ?! + private FileZilla password to make the master password secure even if it is not that long..?



@botg when i use ssl/FTPS[...] and the password is stored in file zilla in a secure way he would get nothing, even with a trojan on the PC...


think befor you post...

User avatar
boco
Contributor
Posts: 25276
Joined: 2006-05-01 03:28
Location: Germany

Re: Security

#7 Post by boco » 2013-03-12 14:34

Wrong. In order for a password to be sent to the server it has to be decrypted in memory on that machine first. FTP over TLS/SSL only protects against man-in-the-middle-attacks, it provides no endpoint protection. Malware on a machine is able to do anything the user account it runs under is. FileZilla runs under your user account. As soon as the passwords are entered or decrypted the malware grabs them from memory. Easy as pie.

Any system that has or had a malware on it must be regarded as being compromised!
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
kachi
500 Command not understood
Posts: 1
Joined: 2013-03-23 12:02
First name: Onyekachi
Last name: Ogbonna
Location: Nigeria

Re: Security

#8 Post by kachi » 2013-03-24 22:13

You have to protect Hackers from entering your PC,just as you have said that your "password is open and clear" even if it is encrypted, they can decrypt it once they find their way into your database.
Regards,
Kachi

Alan Grift
500 Command not understood
Posts: 2
Joined: 2013-03-26 12:37
Contact:

Re: Security

#9 Post by Alan Grift » 2013-03-26 12:48

boco wrote:And you really think such a sophisticated trojan will be stopped by a simple obfuscation in the settings file?
But having some sort of encrypted password would make it just that little big more difficult, don't you think?

User avatar
boco
Contributor
Posts: 25276
Joined: 2006-05-01 03:28
Location: Germany

Re: Security

#10 Post by boco » 2013-06-04 23:37

No, it would not. Imagine you're a computer. You can do billions of operations per second. To circumvent a simple obfuscation is a matter of milliseconds, if not faster.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply