Filezilla and plain-text clear, unsecure password storage

Submitted by Anonymous (not verified) on Thu, 03/17/2011 - 12:44

Everyone knows FileZilla FTP-client programm. It is fast, easy to use and offers most used functions for a good ftp-client. And it is open source & free. But there is a big problem: Filezilla stores passwords in a very unsecure way. Filezilla stores passwords of recent servers, passwords of sites in site-manager in plain text.

Files (and path) storing passwords:

Path for Windows XP/2K: “C:\Documents and Settings\USERNAME\Application Data\FileZilla”
Path for Windows 7/Vista: “C:\Users\USERNAME\AppData\Roaming\FileZilla\”
Path for Linux: “/home/USERNAME/.filezilla/”

filezilla.xml : Stores most recent server information(servername, port, login-username including password) in plaintext
recentservers.xml : Stores all recent server information(servername, port, login-username including password) in plaintext
sitemanager.xml : Stores all saved sites server information(servername, port, login-username including password) in plaintext

Any user, malware, spyware, botnet, trojan could get this information and get control of that server. It is very irresponsible. Filezilla should make an option avilable to set a master password and crypt-decrypt content of that files.

Add new comment