FileZilla Forums

Hi,

is there any way to migrate the settings of the old 0.9.60 - installation to the latest 1.0.0?

Next i checked the content of C:\Users\BLA\AppData\Local\filezilla-server-gui\settings.xml
and what I saw is:

-------------snip----------------
<filezilla>
<!--Information about the FileZilla FTP servers to connect to.-->
<server>
<name>127.0.0.1</name>
<host>127.0.0.1</host>
<port>14148</port>
<password>CLEAR-TEXT-PASSWORD-HERE</password>
<fingerprint>bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla</fingerprint>
</server>
-------------snap----------------

And so my second question is just as follows: Why?!?

And the last one: Why is it not possible anymore to minimize the new admin-interface to system-tray?

thanks in advance
IQI

Hi,

is there any way to migrate the settings of the old 0.9.60 - installation to the latest 1.0.0?

This should already happen (for 0.9.60 servers installed by the standard installer). When I installed 1.0.0 (-rc1 back then), it did migrate the old settings.

And so my second question is just as follows: Why?!?

Why not? That password is only used for connecting the admin interface to the server engine, and it's only ever stored on your user profile. No other user has access to it.

And the last one: Why is it not possible anymore to minimize the new admin-interface to system-tray?

Because it's not implemented, yet, but planned.

Why not? That password is only used for connecting the admin interface to the server engine, and it's only ever stored on your user profile. No other user has access to it.

Malware exists.
And malware loves such pre-defined file-locations where it can search for plain-text passwords in files.

The bad thing is not the fact that someone maybe getting access to the admin-interface. That is not a critical issue.

But what really make me worry about is the fact that not all users will generate a random exclusive admin-interface password.
Instead they will simply use one of their favourite 4-5 passwords and type them in. Let it be laziness or whatever.

Is it that difficult to make your program save it in a hashed or salted-hashed way - as other programs do?

Unless you are doing any remote administration of the server, the password is optional. By default, it is blank.

iqigravity wrote: ↑

2021-09-14 22:08

Is it that difficult to make your program save it in a hashed or salted-hashed way - as other programs do?

Hi,

The password is saved hashed and salted, in the FileZilla Server settings (look at C:\Users\BLA\AppData\Local\filezilla-server\settings.xml), but the Administration UI must have access to a un-hashed and un-salted version of it to be able to transmit it over to the Server.

It could be encrypted, but you'd then need another password to unencrypt it at least when the Administration UI is started, which wouldn't be much less effort than just not saving the administration password in the first place.

Which takes us to another point: if you have reasons to believe that saving the admin password in clear in the Admin UI configuration file is not desired, you have the option to not save the password at all.

Mind you, that the old server administration behaved the same way.

Small addendum: Most users will install the server as a system service. The settings for the service are stored elsewhere.

You could employ the same mechanism used by FileZilla to obfuscate the password. Some users easily panic each time they see their passwords stored in clear text.

Since using obfuscation in FileZilla, no questions of that type have been asked, again.

It is already obfuscated with double-ROT13.