questions about the new FileZilla Server v.1.0.0

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
iqigravity
504 Command not implemented
Posts: 6
Joined: 2008-07-23 22:47
First name: werner
Last name: meier

questions about the new FileZilla Server v.1.0.0

#1 Post by iqigravity » 2021-09-14 18:03

Hi,

is there any way to migrate the settings of the old 0.9.60 - installation to the latest 1.0.0?

Next i checked the content of C:\Users\BLA\AppData\Local\filezilla-server-gui\settings.xml
and what I saw is:

-------------snip----------------
<filezilla>
<!--Information about the FileZilla FTP servers to connect to.-->
<server>
<name>127.0.0.1</name>
<host>127.0.0.1</host>
<port>14148</port>
<password>CLEAR-TEXT-PASSWORD-HERE</password>
<fingerprint>bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla</fingerprint>
</server>
-------------snap----------------

And so my second question is just as follows: Why?!? :?: :shock:

And the last one: Why is it not possible anymore to minimize the new admin-interface to system-tray?

thanks in advance
IQI

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: questions about the new FileZilla Server v.1.0.0

#2 Post by boco » 2021-09-14 18:58

Hi,

is there any way to migrate the settings of the old 0.9.60 - installation to the latest 1.0.0?
This should already happen (for 0.9.60 servers installed by the standard installer). When I installed 1.0.0 (-rc1 back then), it did migrate the old settings.
And so my second question is just as follows: Why?!?
Why not? That password is only used for connecting the admin interface to the server engine, and it's only ever stored on your user profile. No other user has access to it.
And the last one: Why is it not possible anymore to minimize the new admin-interface to system-tray?
Because it's not implemented, yet, but planned.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

iqigravity
504 Command not implemented
Posts: 6
Joined: 2008-07-23 22:47
First name: werner
Last name: meier

Re: questions about the new FileZilla Server v.1.0.0

#3 Post by iqigravity » 2021-09-14 22:08

Why not? That password is only used for connecting the admin interface to the server engine, and it's only ever stored on your user profile. No other user has access to it.
Malware exists.
And malware loves such pre-defined file-locations where it can search for plain-text passwords in files.

The bad thing is not the fact that someone maybe getting access to the admin-interface. That is not a critical issue.

But what really make me worry about is the fact that not all users will generate a random exclusive admin-interface password.
Instead they will simply use one of their favourite 4-5 passwords and type them in. Let it be laziness or whatever.

Is it that difficult to make your program save it in a hashed or salted-hashed way - as other programs do?

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: questions about the new FileZilla Server v.1.0.0

#4 Post by boco » 2021-09-15 01:09

Unless you are doing any remote administration of the server, the password is optional. By default, it is blank.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: questions about the new FileZilla Server v.1.0.0

#5 Post by oibaf » 2021-09-15 07:09

iqigravity wrote:
2021-09-14 22:08
Is it that difficult to make your program save it in a hashed or salted-hashed way - as other programs do?
Hi,

The password is saved hashed and salted, in the FileZilla Server settings (look at C:\Users\BLA\AppData\Local\filezilla-server\settings.xml), but the Administration UI must have access to a un-hashed and un-salted version of it to be able to transmit it over to the Server.

It could be encrypted, but you'd then need another password to unencrypt it at least when the Administration UI is started, which wouldn't be much less effort than just not saving the administration password in the first place.

Which takes us to another point: if you have reasons to believe that saving the admin password in clear in the Admin UI configuration file is not desired, you have the option to not save the password at all.

Mind you, that the old server administration behaved the same way.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: questions about the new FileZilla Server v.1.0.0

#6 Post by boco » 2021-09-15 16:14

Small addendum: Most users will install the server as a system service. The settings for the service are stored elsewhere.

Code: Select all

C:\Windows\System32\config\systemprofile\AppData\Local\filezilla-server
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: questions about the new FileZilla Server v.1.0.0

#7 Post by boco » 2021-09-18 01:32

You could employ the same mechanism used by FileZilla to obfuscate the password. Some users easily panic each time they see their passwords stored in clear text.

Since using obfuscation in FileZilla, no questions of that type have been asked, again.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: questions about the new FileZilla Server v.1.0.0

#8 Post by botg » 2021-09-20 07:50

It is already obfuscated with double-ROT13.

Post Reply