We all know the vulnerability of what for most of us whas our first GUI FTP-client program, that is , yes, yes, yeeesss : WS_FTP (LE)*
We all know that WS_FTP main security bug was that it dropped LOG files everywhere you PUT files and also from everywhere you fetched files.
Cute. Well, CuteFTP does the same, albeit only on the client-side and in a particular directory, like a TEMP file of its own.
LeechFTP ? Same song, SmartFTP: same song, it saves settings, logs and autofills entries except passwords.
FileZilla : worse... much worse.
After a benchmark of let's say ten minutes, I thought "Nice, finally a good little really f*cking FREE FTP client, no key to fetch, no counter to hack, just enjoy !
My joy didn't last.. oh no. the f*cking thing stores the whole line of host,username AND password in an XML file !!
Hint for those who are not familliar with XML and still wan to use FileZilla :
every tag has an ending tag or the tag is empty, so to delete llines like
<host list>
<host="hostname>
<username>blah</username>
<password="secret" />
</host>
</hostlist>
Be sure to delete the lines properly : adjacent opening tags with adjacent closing tags.
Be sure not to delete the whole XML file or to mess it up : only delete the necessary tags !
Be sure to use a proper FTP-client next time
Ok, you can all stop reading and going on doing whatever the hell you were doing.
--
FrankB2Bn00b
