homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

Do not used Filezilla with default settings you might get hacked!

 9:11 pm on Jan 25, 2011 (gmt 0)

Hello all,

i analyzed the iframe hacks appearing everyday. This is mostly not a fault of the servers, the application or a bug/vulnerability of the software. The server easily gets compromised with your credentials!

The seem allover of Filezilla Users. Filezilla has Kiosk mode enabled by default which saves _all_ credentials ever typed into the logon/password fields of Filezilla! If you catch malware via drive-by download these file might get compromised and so your servers..

You have to change the config files in your home folder.

See the file fzdefaults.xml.example (docs subdirectory). Inside are instructions how to set FileZilla to not save passwords (kiosk mode 1) or not to save anything at all (kiosk mode 2).

More info on the attack on my blog:


Please spread this info..



 9:31 pm on Jan 25, 2011 (gmt 0)

Thanks.... something that always bothered me about Filezilla was the "ReConnect" option.

You can start up any filezilla and click reconnect and without needing any login info at all you are connected to the FTP site. How insane is that? I see that this info is also stored in a config XML file... IN PLAIN TEXT!

It is insane of them to suggest that it is safe so long as your computer is safe. Perhaps they are unaware of the percentage of machines that are infected as of today. If they were they would never suggest such a thing.

While I am diligent about securing my box, my clients, who use FTP aren't as stringent.

They should be developing this for the lowest common denominator.

I am emailing most of my clients and asking them to stop using Filezilla until I can look into this more.


 9:39 pm on Jan 25, 2011 (gmt 0)

Thanks for your feedback. I have been asked a lot for alternatives.

I'm using WinSCP under Windows and never had problems with that.



 9:47 pm on Jan 25, 2011 (gmt 0)

I see them discussing how to turn off this feature but I am not finding the fzdefaults.xml or anything that allows me to "switch" kiosk modes.

Do you know where to change the setting. I want to test turning it off, if I can then I plan to email my clients the steps to turn it off. Most of them are not tech savvy and changing programs may cause me many hours of training, which I would like to avoid.


 9:54 pm on Jan 25, 2011 (gmt 0)

check out:

C:\Program Files\FileZilla FTP Client\fzdefaults.xml


C:\Documents and Settings\username\Application Data\FileZilla\


 10:17 pm on Jan 25, 2011 (gmt 0)

Hi Guys....i too am concerned about this and turn my ftp off when i am not using it (server side) and change passwords ever week.
here is where you can find the default settings
C:\Program Files\FileZilla FTP Client\docs\fzdefaults.xml

it is in the "docs" folder....can you help me find the config.xml file that has the passwords i cannot seem to find it.



 10:31 pm on Jan 25, 2011 (gmt 0)

Hi meelosh,

its filezilla.xml, recentservers.xml and sitemanager.xml

On Windows XP

C:\Documents and Settings\<user>\Application Data\FileZilla\

or Windows 7



 10:35 pm on Jan 25, 2011 (gmt 0)

Vista is same as Win7:


 11:05 pm on Jan 25, 2011 (gmt 0)

wow... thanks guys....unbelievable...like taking candy from a baby!


 7:09 pm on Jan 27, 2011 (gmt 0)

Lame lame lame . . . holy cremole.


 6:15 pm on Jan 28, 2011 (gmt 0)

1. This needs to be a featured topic, FileZilla is one of the most popular FTP clients out there.

2. The fix was easy, the question to be asked is why the heck these settings aren't available from the GUI? (I looked and looked, even reran the wizard, didn't see the option anywhere, if I'm missing it someone let me know.) Most FileZilla users are using it because they are not tech savvy and wouldn't know how to fix this.

3. WTH. Even the old dog WS_FTP was wise enough to store any data as encrypted in it's .ini. If they are storing passwords as plain text in static XML files, who knows how many other holes are in this thing.

A side note, I only recently started using F.Z. at the recommendation of a co worker, I immediately didn't like it much but went with the flow of company standards. You can bet this went out as a memo immediately, thanks for posting.


 9:02 pm on Jan 28, 2011 (gmt 0)

I am not as angry as I was once I found out the entire thing was written by 1 person and is available for free.

The problem is, as rnb points out, the program is widely used and therefor it is made much worse by how distributed it is.

There really is no excuse for logging all connection in plain text that weren't saved to the site manager.


 10:54 pm on Mar 31, 2011 (gmt 0)

A update for Filezilla was just release and they added a checkbox to the settings dialog box that allows you to say "Do Not Save Passwords"


 11:02 pm on Mar 31, 2011 (gmt 0)

awesome news....as i do like the little zilla..thanks for sharing!


 12:23 pm on Apr 1, 2011 (gmt 0)

Any good alternatives to Filezilla anyway?


 5:10 pm on Apr 1, 2011 (gmt 0)

SFTP, or follow the instructions above. It will require entering a password each time you log in to your sites, but it's an annoyance you can live with.


 4:18 am on Apr 5, 2011 (gmt 0)

Thanks for the post!
This needs to be a featured topic, FileZilla is one of the most popular FTP clients out there.

 9:25 am on Apr 5, 2011 (gmt 0)

Have you guys reported this to Filezilla?


 12:43 pm on Apr 5, 2011 (gmt 0)

Have you guys reported this to Filezilla?

I remember this issue being mentioned on the filezilla forums way back in 2008. If I remember, the developer's retort was, if I may say so, somewhat defensive and less than polite in at least one posting. This was my personal impression anyway. I believe his argument is that OS and/or the user is responsible for security, which is why Filezilla has been storing passwords unencrypted in plaintext for the last few years. Please correct me if I'm wrong about anything.


 9:36 am on Apr 20, 2011 (gmt 0)

Oh wow thanks for the information. Have to be careful now..


 6:28 am on Apr 21, 2011 (gmt 0)

When using Ftp you are sending over the networks your username and password in plain text

I would start worrying about that and start using Sftp

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved