homepage Welcome to WebmasterWorld Guest from 54.167.11.16
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Do not used Filezilla with default settings you might get hacked!
int13




msg:4258062
 9:11 pm on Jan 25, 2011 (gmt 0)

Hello all,


i analyzed the iframe hacks appearing everyday. This is mostly not a fault of the servers, the application or a bug/vulnerability of the software. The server easily gets compromised with your credentials!

The seem allover of Filezilla Users. Filezilla has Kiosk mode enabled by default which saves _all_ credentials ever typed into the logon/password fields of Filezilla! If you catch malware via drive-by download these file might get compromised and so your servers..

You have to change the config files in your home folder.

See the file fzdefaults.xml.example (docs subdirectory). Inside are instructions how to set FileZilla to not save passwords (kiosk mode 1) or not to save anything at all (kiosk mode 2).

More info on the attack on my blog:

[integer13.wordpress.com...]

Please spread this info..

 

Demaestro




msg:4258069
 9:31 pm on Jan 25, 2011 (gmt 0)

Thanks.... something that always bothered me about Filezilla was the "ReConnect" option.

You can start up any filezilla and click reconnect and without needing any login info at all you are connected to the FTP site. How insane is that? I see that this info is also stored in a config XML file... IN PLAIN TEXT!

It is insane of them to suggest that it is safe so long as your computer is safe. Perhaps they are unaware of the percentage of machines that are infected as of today. If they were they would never suggest such a thing.

While I am diligent about securing my box, my clients, who use FTP aren't as stringent.

They should be developing this for the lowest common denominator.

I am emailing most of my clients and asking them to stop using Filezilla until I can look into this more.

int13




msg:4258073
 9:39 pm on Jan 25, 2011 (gmt 0)

Thanks for your feedback. I have been asked a lot for alternatives.

I'm using WinSCP under Windows and never had problems with that.

Andre

Demaestro




msg:4258077
 9:47 pm on Jan 25, 2011 (gmt 0)

I see them discussing how to turn off this feature but I am not finding the fzdefaults.xml or anything that allows me to "switch" kiosk modes.

Do you know where to change the setting. I want to test turning it off, if I can then I plan to email my clients the steps to turn it off. Most of them are not tech savvy and changing programs may cause me many hours of training, which I would like to avoid.

int13




msg:4258085
 9:54 pm on Jan 25, 2011 (gmt 0)

check out:

C:\Program Files\FileZilla FTP Client\fzdefaults.xml

or

C:\Documents and Settings\username\Application Data\FileZilla\

meelosh




msg:4258091
 10:17 pm on Jan 25, 2011 (gmt 0)

Hi Guys....i too am concerned about this and turn my ftp off when i am not using it (server side) and change passwords ever week.
here is where you can find the default settings
C:\Program Files\FileZilla FTP Client\docs\fzdefaults.xml

it is in the "docs" folder....can you help me find the config.xml file that has the passwords i cannot seem to find it.

thanks

int13




msg:4258095
 10:31 pm on Jan 25, 2011 (gmt 0)

Hi meelosh,

its filezilla.xml, recentservers.xml and sitemanager.xml

On Windows XP

C:\Documents and Settings\<user>\Application Data\FileZilla\

or Windows 7

C:\Users\<user>\AppData\Roaming\FileZilla\

Demaestro




msg:4258100
 10:35 pm on Jan 25, 2011 (gmt 0)

Vista is same as Win7:
C:\Users\<user>\AppData\Roaming\FileZilla\

meelosh




msg:4258125
 11:05 pm on Jan 25, 2011 (gmt 0)

wow... thanks guys....unbelievable...like taking candy from a baby!

rocknbil




msg:4259103
 7:09 pm on Jan 27, 2011 (gmt 0)

Lame lame lame . . . holy cremole.

rocknbil




msg:4259620
 6:15 pm on Jan 28, 2011 (gmt 0)

1. This needs to be a featured topic, FileZilla is one of the most popular FTP clients out there.

2. The fix was easy, the question to be asked is why the heck these settings aren't available from the GUI? (I looked and looked, even reran the wizard, didn't see the option anywhere, if I'm missing it someone let me know.) Most FileZilla users are using it because they are not tech savvy and wouldn't know how to fix this.

3. WTH. Even the old dog WS_FTP was wise enough to store any data as encrypted in it's .ini. If they are storing passwords as plain text in static XML files, who knows how many other holes are in this thing.

A side note, I only recently started using F.Z. at the recommendation of a co worker, I immediately didn't like it much but went with the flow of company standards. You can bet this went out as a memo immediately, thanks for posting.

Demaestro




msg:4259681
 9:02 pm on Jan 28, 2011 (gmt 0)

I am not as angry as I was once I found out the entire thing was written by 1 person and is available for free.

The problem is, as rnb points out, the program is widely used and therefor it is made much worse by how distributed it is.

There really is no excuse for logging all connection in plain text that weren't saved to the site manager.

Demaestro




msg:4290424
 10:54 pm on Mar 31, 2011 (gmt 0)

A update for Filezilla was just release and they added a checkbox to the settings dialog box that allows you to say "Do Not Save Passwords"

meelosh




msg:4290429
 11:02 pm on Mar 31, 2011 (gmt 0)

awesome news....as i do like the little zilla..thanks for sharing!

Umbra




msg:4290670
 12:23 pm on Apr 1, 2011 (gmt 0)

Any good alternatives to Filezilla anyway?

rocknbil




msg:4290826
 5:10 pm on Apr 1, 2011 (gmt 0)

SFTP, or follow the instructions above. It will require entering a password each time you log in to your sites, but it's an annoyance you can live with.

JohnRoy




msg:4292189
 4:18 am on Apr 5, 2011 (gmt 0)

Thanks for the post!
This needs to be a featured topic, FileZilla is one of the most popular FTP clients out there.
+1.
cien




msg:4292311
 9:25 am on Apr 5, 2011 (gmt 0)

Have you guys reported this to Filezilla?

Umbra




msg:4292390
 12:43 pm on Apr 5, 2011 (gmt 0)

Have you guys reported this to Filezilla?

I remember this issue being mentioned on the filezilla forums way back in 2008. If I remember, the developer's retort was, if I may say so, somewhat defensive and less than polite in at least one posting. This was my personal impression anyway. I believe his argument is that OS and/or the user is responsible for security, which is why Filezilla has been storing passwords unencrypted in plaintext for the last few years. Please correct me if I'm wrong about anything.

hydroponicsnutrients




msg:4301159
 9:36 am on Apr 20, 2011 (gmt 0)

Oh wow thanks for the information. Have to be careful now..

Realbrisk




msg:4301717
 6:28 am on Apr 21, 2011 (gmt 0)

When using Ftp you are sending over the networks your username and password in plain text

I would start worrying about that and start using Sftp

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved