Thanks.... something that always bothered me about Filezilla was the "ReConnect" option.

You can start up any filezilla and click reconnect and without needing any login info at all you are connected to the FTP site. How insane is that? I see that this info is also stored in a config XML file... IN PLAIN TEXT!

It is insane of them to suggest that it is safe so long as your computer is safe. Perhaps they are unaware of the percentage of machines that are infected as of today. If they were they would never suggest such a thing.

While I am diligent about securing my box, my clients, who use FTP aren't as stringent.

They should be developing this for the lowest common denominator.

I am emailing most of my clients and asking them to stop using Filezilla until I can look into this more.

Thanks for your feedback. I have been asked a lot for alternatives.

I'm using WinSCP under Windows and never had problems with that.

Andre

I see them discussing how to turn off this feature but I am not finding the fzdefaults.xml or anything that allows me to "switch" kiosk modes.

Do you know where to change the setting. I want to test turning it off, if I can then I plan to email my clients the steps to turn it off. Most of them are not tech savvy and changing programs may cause me many hours of training, which I would like to avoid.

check out:

C:\Program Files\FileZilla FTP Client\fzdefaults.xml

or

C:\Documents and Settings\username\Application Data\FileZilla\

Hi Guys....i too am concerned about this and turn my ftp off when i am not using it (server side) and change passwords ever week.
here is where you can find the default settings
C:\Program Files\FileZilla FTP Client\docs\fzdefaults.xml

it is in the "docs" folder....can you help me find the config.xml file that has the passwords i cannot seem to find it.

thanks

Hi meelosh,

its filezilla.xml, recentservers.xml and sitemanager.xml

On Windows XP

C:\Documents and Settings\<user>\Application Data\FileZilla\

or Windows 7

C:\Users\<user>\AppData\Roaming\FileZilla\

Vista is same as Win7:
C:\Users\<user>\AppData\Roaming\FileZilla\

wow... thanks guys....unbelievable...like taking candy from a baby!

Lame lame lame . . . holy cremole.

1. This needs to be a featured topic, FileZilla is one of the most popular FTP clients out there.

2. The fix was easy, the question to be asked is why the heck these settings aren't available from the GUI? (I looked and looked, even reran the wizard, didn't see the option anywhere, if I'm missing it someone let me know.) Most FileZilla users are using it because they are not tech savvy and wouldn't know how to fix this.

3. WTH. Even the old dog WS_FTP was wise enough to store any data as encrypted in it's .ini. If they are storing passwords as plain text in static XML files, who knows how many other holes are in this thing.

A side note, I only recently started using F.Z. at the recommendation of a co worker, I immediately didn't like it much but went with the flow of company standards. You can bet this went out as a memo immediately, thanks for posting.

I am not as angry as I was once I found out the entire thing was written by 1 person and is available for free.

The problem is, as rnb points out, the program is widely used and therefor it is made much worse by how distributed it is.

There really is no excuse for logging all connection in plain text that weren't saved to the site manager.

A update for Filezilla was just release and they added a checkbox to the settings dialog box that allows you to say "Do Not Save Passwords"

awesome news....as i do like the little zilla..thanks for sharing!

Any good alternatives to Filezilla anyway?

SFTP, or follow the instructions above. It will require entering a password each time you log in to your sites, but it's an annoyance you can live with.

Thanks for the post!

This needs to be a featured topic, FileZilla is one of the most popular FTP clients out there.

+1.

Have you guys reported this to Filezilla?

Have you guys reported this to Filezilla?

I remember this issue being mentioned on the filezilla forums way back in 2008. If I remember, the developer's retort was, if I may say so, somewhat defensive and less than polite in at least one posting. This was my personal impression anyway. I believe his argument is that OS and/or the user is responsible for security, which is why Filezilla has been storing passwords unencrypted in plaintext for the last few years. Please correct me if I'm wrong about anything.

Oh wow thanks for the information. Have to be careful now..

When using Ftp you are sending over the networks your username and password in plain text

I would start worrying about that and start using Sftp