Beast vulnerability found in Filezila

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
yellowrider03
500 Command not understood
Posts: 1
Joined: 2020-05-06 23:09
First name: Timothy
Last name: Patterson

Beast vulnerability found in Filezila

#1 Post by yellowrider03 » 2020-05-06 23:16

I'm posting to reach out if anyone has had an occurrence of the Beast vulnerability within the version 0.9.60beta showing up with an internal scan reflecting Negotiated cipher suite: AES256-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES-CBC(256)|Mac=SHA1 off TLS port 990.

This is showing a vulnerability and I find no record to remediate this - I believe if AES 256 is turned off Filezilla will no longer work.

Any input will be much appreciated.

User avatar
botg
Site Admin
Posts: 33237
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Beast vulnerability found in Filezila

#2 Post by botg » 2020-05-07 10:07

You can disable TLSv1 by setting the "Minimum TLS version" in FileZilla Server.xml to 1 or 2, to require at least TLSv1.1 or 1.2 respectively.

Post Reply