Beware of FileZilla!

Stuff that don´t fit in the other categories.
Post Reply
User avatar
FrankB
Ph. D. in Sucko'logics
Ph. D. in Sucko'logics
Posts: 315
Joined: 06 Mar 2006, 17:00
18
Location: Belgistahn
Contact:

Beware of FileZilla!

Post by FrankB »

All right : category => [newbies] [advanced] [experts],

We all know the vulnerability of what for most of us whas our first GUI FTP-client program, that is , yes, yes, yeeesss : WS_FTP (LE)*

We all know that WS_FTP main security bug was that it dropped LOG files everywhere you PUT files and also from everywhere you fetched files.
Cute. Well, CuteFTP does the same, albeit only on the client-side and in a particular directory, like a TEMP file of its own.
LeechFTP ? Same song, SmartFTP: same song, it saves settings, logs and autofills entries except passwords.

FileZilla : worse... much worse.
After a benchmark of let's say ten minutes, I thought "Nice, finally a good little really f*cking FREE FTP client, no key to fetch, no counter to hack, just enjoy !

My joy didn't last.. oh no. the f*cking thing stores the whole line of host,username AND password in an XML file !!

Hint for those who are not familliar with XML and still wan to use FileZilla :
every tag has an ending tag or the tag is empty, so to delete llines like
<host list>
<host="hostname>
<username>blah</username>
<password="secret" />
</host>
</hostlist>

Be sure to delete the lines properly : adjacent opening tags with adjacent closing tags.
Be sure not to delete the whole XML file or to mess it up : only delete the necessary tags !

Be sure to use a proper FTP-client next time :-)

Ok, you can all stop reading and going on doing whatever the hell you were doing.

--
FrankB2Bn00b

User avatar
H4evr
On the way to fame!
On the way to fame!
Posts: 43
Joined: 30 Apr 2006, 16:00
18
Location: Portugal
Contact:

Post by H4evr »

Thanks for the tip. :wink:

User avatar
FrankB
Ph. D. in Sucko'logics
Ph. D. in Sucko'logics
Posts: 315
Joined: 06 Mar 2006, 17:00
18
Location: Belgistahn
Contact:

Post by FrankB »

H4evr wrote:Thanks for the tip. :wink:
I forgot to mention -not that I want to start a whole other topic but - instead of using
the domain name of an FTP server like ftp.someserver.net in your GUI or console lines/proggies,
please use the IP address of the FTP- server instead !

(same for SSH etc.. by the way ;-)

Post Reply