SMF Support > SMF 2.0.x Support

Preview broken, possible hack?

<< < (2/2)

rickheck:
Just a waning. If you are using FileZilla as your FTP client, there is malware out there that will grab your FTP credentials from the Filezilla PLAIN TEXT FILE (yikes!  >:( ) and use that information to insert that malware code (indicated by the #b58b6f# type of code around a "gzinflate(base64_decode)" command. That is how your files will get attacked/compromised.

Look in your %APPDATA%/Roaming/Filezilla folder. One of the XML files in there has all your FTP web site credential (user/password/etc) in PLAIN TEXT!  And the FileZilla people refuse to fix that obvious security hole.

My recommendation: delete FileZilla from your computer (and you have to manually delete the folder in your APPDATA folder. 

If you need a secure FTP client, use WinSCP (www .winscp .net ), where you can set a master password and all of your site credentials are encrypted.

Just a warning....Rick...

MrPhil:
All FTP clients transfer passwords in clear text (that's the protocol), but it's inexcusable that FZ would store it in the open! I wonder how other clients store passwords? I know that FTP Commander encrypts it in some format. I suppose that once you know the algorithm used, and can figure out where the key comes from, that any list would be easily cracked, but at least there would be some work involved.

This is a second strike against FZ. There's a big debate going on in the Bugs board about the fact that SMF stores attachments and avatars with hashed names with no extension (filetype). If you use FZ to do a backup, with automatic mode selection, it will choose ASCII for these files and will thus corrupt any binary files in your backup! The SMF developers say, "That's not our fault; it's an FZ bug so we don't need to do anything about it," and the FZ developers have been saying for years that, "All the extension-less files we ever transfer are text, so ASCII is appropriate." The bottom line is don't use Filezilla to back up your site!

Aleksi "Lex" Kilpinen:
FileZilla is fine, it's a good client - you just need to make sure you know the oddities of it. A wise user learns the settings, and tests the results, before trusting any software.

Just like actually keeping a plain text file of all your passwords ever should be safe for you to have on your computer, you just need to make sure your computer is clean and protected. A wise user does not keep them saved in the client forever, but deletes them when they are not needed.

Bottom line, Filezilla can be safely used, when you know what you do, and use some common sense.

Navigation

[0] Message Index

[*] Previous page

Go to full version