Security

[Deyssenroth]

FielZilla creates a folder unter user->appdata->roaming. In this folder there is a file called sitemanager.xml und here I see my password in clear text. A hacker (or trojaner) on my PC can use this password and can overwrite my websites!

Please change this.

Thanks and best wishes,

Hans

[botg]

And? Even if no passwords are stored, a hacker (or trojaner) on your PC can get your passwords the moment you enter them. You need to prevent infection in the first place.

[boco]

Once a hacker (or trojaner) gets onto your PC it's too late already.

[Deyssenroth]

And? Even if no passwords are stored, a hacker (or trojaner) on your PC can get your passwords the moment you enter them. You need to prevent infection in the first place.

--------

That's obvious. But many trojaner are not recognized in the first step and some ar so sophisticated that they never will be detected. I think the FileZilla programmers should encrypt the password on this file.

[boco]

And you really think such a sophisticated trojan will be stopped by a simple obfuscation in the settings file?

[pentester]

how about crypting passwort by using a master password which is set by the user and is NOT stored at all ?! + private FileZilla password to make the master password secure even if it is not that long..?



@botg when i use ssl/FTPS[...] and the password is stored in file zilla in a secure way he would get nothing, even with a trojan on the PC...


think befor you post...

[boco]

Wrong. In order for a password to be sent to the server it has to be decrypted in memory on that machine first. FTP over TLS/SSL only protects against man-in-the-middle-attacks, it provides no endpoint protection. Malware on a machine is able to do anything the user account it runs under is. FileZilla runs under your user account. As soon as the passwords are entered or decrypted the malware grabs them from memory. Easy as pie.

Any system that has or had a malware on it must be regarded as being compromised!

[kachi]

You have to protect Hackers from entering your PC,just as you have said that your "password is open and clear" even if it is encrypted, they can decrypt it once they find their way into your database.

[Alan Grift]

And you really think such a sophisticated trojan will be stopped by a simple obfuscation in the settings file?

But having some sort of encrypted password would make it just that little big more difficult, don't you think?

[boco]

No, it would not. Imagine you're a computer. You can do billions of operations per second. To circumvent a simple obfuscation is a matter of milliseconds, if not faster.