Full Disclosure mailing list archives
Re: Filezilla's silent caching of user's credentials
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 16 Oct 2010 10:46:18 -0400
Am I the only person who finds it ironic that the same measures leveraged against closed source projects have to be employed against some open source projects?
Yet another example, complete with a public pissing contest: "XSS in Squirrelmail plugin 'Virtual Keyboard'", http://seclists.org/fulldisclosure/2010/Oct/45 As was noted in a previous list mailing:
This is an alarming trend in open source software, and diametrically opposed to the claims of "more eyes equates to more secure"", "open source software is more secure", and "open source software fixes bugs faster than other software models".
Jeff On Fri, Oct 8, 2010 at 3:28 AM, Jeffrey Walton <noloader () gmail com> wrote:
On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears <rdsears () mtu edu> wrote:Hi all, As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your credentials for every host you connect to, without either warning or ability to change this without editing an XML file. There have been quite a few bug and features requests filed, and they all get closed or rejected within a week or so. I also posted something in the developer forum inquiring about this, and received this response: "I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be." Source:(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932) [SNIP] I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now).Am I the only person who finds it ironic that the same measures leveraged against closed source projects have to be employed against some open source projects? Jeff
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Filezilla's silent caching of user's credentials Ryan Sears (Oct 07)
- Re: Filezilla's silent caching of user's credentials Michael Wood (Oct 07)
- Re: Filezilla's silent caching of user's credentials Jeffrey Walton (Oct 07)
- Re: Filezilla's silent caching of user's credentials Hurgel Bumpf (Oct 08)
- Re: Filezilla's silent caching of user's credentials Jeffrey Walton (Oct 08)
- Re: Filezilla's silent caching of user's credentials Jeffrey Walton (Oct 16)
- Re: Filezilla's silent caching of user's credentials dave b (Oct 16)
- Re: Filezilla's silent caching of user's credentials coderman (Oct 21)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 26)
- Re: Filezilla's silent caching of user's credentials Jeffrey Walton (Oct 16)
- Re: Filezilla's silent caching of user's credentials Vipul Agarwal (Oct 09)
- Re: Filezilla's silent caching of user's credentials Brandon McGinty (Oct 11)
- Re: Filezilla's silent caching of user's credentials rdsears (Oct 11)
- Re: Filezilla's silent caching of user's credentials Mutiny (Oct 13)