Filezilla and plain-text clear, unsecure password storage

By Anonymous (not verified), 17 March, 2011

Everyone knows FileZilla FTP-client programm. It is fast, easy to use and offers most used functions for a good ftp-client. And it is open source & free. But there is a big problem: Filezilla stores passwords in a very unsecure way. Filezilla stores passwords of recent servers, passwords of sites in site-manager in plain text.

Files (and path) storing passwords:

Path for Windows XP/2K: “C:\Documents and Settings\USERNAME\Application Data\FileZilla”
Path for Windows 7/Vista: “C:\Users\USERNAME\AppData\Roaming\FileZilla\”
Path for Linux: “/home/USERNAME/.filezilla/”

filezilla.xml : Stores most recent server information(servername, port, login-username including password) in plaintext
recentservers.xml : Stores all recent server information(servername, port, login-username including password) in plaintext
sitemanager.xml : Stores all saved sites server information(servername, port, login-username including password) in plaintext

Any user, malware, spyware, botnet, trojan could get this information and get control of that server. It is very irresponsible. Filezilla should make an option avilable to set a master password and crypt-decrypt content of that files.

CafeWebmaster.com(CW) is a free online community for webdevelopers and beginners. Anybody can share their code, articles, tips, tutorials, code-examples or other webdesign related material on the site. Newbies can submit their questions and reply to existing questions. CW does not guarantee or warrant reliability of code, data and information published on the site. Use the site on your own risk. The site takes no responsibility of direct or indirect loss or any kind of harm to its users. The site also doesn't take responsibility of infected files or source code with any kind of infection or viruses, worms, spywares, malwares, trojan horses. CW reserves the right to edit, move, or delete any of content for any reason.