I feel that this should be brought to the attention of FileZilla users out there even though it may be a huge concern. (Lots of apps do this but potentially giving up FTP access info to a bunch of servers you are responsible for is something to be avoided). Jump to the Important Stuff
I love the FTP client FileZilla, and I used to share my filezilla.xml file between machines because it stored all my recent servers and passwords (encrypted). Recently I tried to do the same and came to find out that the most recent versions of FileZilla version ~ 3.0.9.2+ (and possibly older) store all saved FTP account connection info in plaintext .xml files. This applys to both Linux and Windows installations (Mac OS X has yet to be tested but I would bet the same applies).
In some cases this is convenient – often I connect over FileZilla then don’t have access to the password but need to use it in a different app/machine, I could just look it up in these plaintext config files.
But in other cases this is a serious problem. From a practical standpoint, let’s say we connect to our FTP server using FileZilla on a semi-public machine like at a buddy’s place where you may not be concerned about keyloggers but don’t necessarily want your stuff available in plaintext after you walk away.
And let’s not forget that someone could write an app that runs in the background, slurping up that info and putting it in the hands of people you may not trust.
Personally, I am not gonna stop using FileZilla at my primary FTP client on my Linux and Windows boxes, it really is a great app – one of the best clients if not the best. But I feel that awareness pertaining to storage of sensitive data should be a major concern to any serious user.
Text to be displayed
The following files are what you need to know about:
filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – Stores all recent server info including password in plaintext.
sitemanager.xml – Stores all saved sites server info including password in plaintext.
These files can usually be found in the following directories:
Windows XP/2K: “C:\Documents and Settings\username\Application Data\FileZilla”
Windows Vista: “C:\Users\username\AppData\Roaming\FileZilla\”
Linux: “/home/username/.filezilla/”
It seems that this has been brought to the developer’s attention but it also seems that this won’t be changing any time soon. There seems to be a bit of a dispute as to how this should be handled, but I say why not use weak cryptography/obfuscation like they used to, at least that way it would take someone some minor effort/know-how to get to these passwords.
If you have further information regarding the subject, please comment.
Related resources:
Security posting: http://seclists.org/fulldisclosure/2008/Apr/0511.html
FileZilla Password Recovery Apps/Scripts: (may only apply to older encryption scheme)
http://www.reactive-software.com/filezilla-password-recovery.html
http://www.ianwootten.co.uk/2008/01/05/decrypting-filezilla-passwords-with-php/
Where are these stored on a vista machine?
I got my hands on a Vista box, found the folder and added it to the list of directories above.
Thanks, Sam
[...] Nota: vedo che anche altri hanno parlato del problema password in chiaro. [...]
I hate to burst your bubble, but FTP passwords are transmitted in plain text anyway, and filezilla is open source. Even if they did use weak encryption, it needs to be reversible by design, and the reversing code would be (and has been) freely available right in the source distribution. Actually, they could simply copy your XML files over their own Filezilla installation and connect using your credentials. If someone wants to get into your account, and they have access to your XML files, you’re screwed either way.
What *should* be implemented is an option to not store the password, and have the application prompt for it when needed. FlashFXP does this, where if you leave the password box empty, it will pop up when you try to connect. It doesn’t get saved, and even if you reconnect during the same session, it prompts you again.
That way, you can safely FTP from a public location without exposing your password. A person could still sniff the IP traffic, but that’s a bit more involved than merely copying a text file, and much harder to pull off without getting caught (unless you’re the sysadmin).
My bubble is in great shape – I’m well aware that FTP is plaintext and Filezilla is open source. My point is that it is now too easy to see passwords, simply glancing at a file in a text editor. You’ve got a point that someone could just copy the xml files over their own installation but the difference here is that anyone can read plaintext, it takes someone with some knowledge + effort to go beyond that.
I’m not worried about the pros and the overeager who would sniff my network nearly as much as the junior script kiddies who would gladly slurp plaintext but shy away from some simple decoding.
Optional password storage would make a lot of sense, it is a bit presumptuous although convenient to store recent logins.
Personally, I’m glad the passwords are stored in plain text. I deal with a lot of ftp servers, and some accounts we’ve had for so long we (and the other sysadmins) have forgotten what the passwords were. I know, document stuff better, but people don’t. Plaintext passwords saved the day.
I’ve recently switched from LeapFTP to FileZilla, and I don’t plan on switching to anything else for quite sometime. I had to use a password revealer to get my ftp accounts imported into FZ …
I actually came here looking for the location of the xml files, because this morning I had to tell a client what account / password we were using to access their ftp server. Thanks for posting the location, as I seemed to be unable to locate them on my own. Windows Search failed me
Yes, of course the FTP protocol do is transmission in plain text, but their is a difference between the theory and the real world.
In the real world, my data collector will be happy to search and extract password from files that store them in plain text ( in every filezilla installation ) of the machines that I may hack.
And nop, most people doesn’t encrypt their home directory. And a new password otften lead to new – higher – level of access.
So yes, their is a big difference between putting a Man in the Middle attack that require to be at the good place at the good moment, and simply take a file and having access to the last X month of login history.
“If you don’t trust your root, don’t use the system” -> what about: never trust anyone ?