Bug Reports Report bugs here. (non-beta releases only) |
05-09-2003, 04:06 AM
|
#1
|
Member
FlashFXP Beta Tester
Join Date: Apr 2002
Posts: 69
|
Weak password encryption
http://www.securityfocus.com/bid/7499/info/
Is this indeed the case? If so, perhaps you could use the SSL DLLs to do a nice 128-bit AES encrypt instead
|
|
|
05-09-2003, 04:08 AM
|
#2
|
Senior Member
FlashFXP Beta Tester
Join Date: Dec 2002
Posts: 111
|
This is, to my knowledge, the case.
Decrypting the user passwords is an easy task unfortunately.
(Unless the algo changed - but i doubt it)
Let's hope the encryption will be made stronger sometime :-)
|
|
|
05-09-2003, 04:28 AM
|
#3
|
Senior Member
FlashFXP Scripter
Join Date: Nov 2002
Posts: 334
|
For this Bigstar made the application protection. That's much stronger than the standard asteriks.
|
|
|
05-09-2003, 07:38 AM
|
#4
|
Super Duper
FlashFXP Beta Tester
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
|
yup.
regular encryption is not really an encryption but rather text cypher.
but once application level password is enabled you might as well try to do social engeneering becuase it's virtually impossible to "crack" such password.
which makes me wonder if this Dvdman@l33tsecurity.com of L33tsecurity 2003 even bothered to contact Bigstar about this, or use FlashFXP to the full extent, as it is customary when finding and reporting vulnerabilities.
plus he didn't "discover" this. password decrypters for flashfxp existed way back in v1.2 days
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
|
|
|
05-09-2003, 07:43 AM
|
#5
|
Senior Member
FlashFXP Beta Tester
Join Date: Dec 2002
Posts: 111
|
Yes. Though i still wonder why the passwords aren't encrypted using a heavy algo. The algo is obviously there (since it's used in other places in the program). Why not use it on user passwords also?
Just a thought.
/J-J
|
|
|
05-09-2003, 07:47 AM
|
#6
|
Super Duper
FlashFXP Beta Tester
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
|
becuase it's up to the user to deside. flashfxp gives them the option of using application level password which also encrypt sites.dat or regular text cypher.
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
|
|
|
05-09-2003, 07:52 AM
|
#7
|
Senior Member
FlashFXP Registered User ioFTPD Foundation User
Join Date: Oct 2001
Posts: 136
|
For years, people like me have been pushing Bigstar to make the passwords plaintext in the sites.dat, so other programs can add/remove/process the sites easier via script.
Besides, if the passwords were truely encrypted to where nothing but FlashFXP could read them, as a default option, and other FTP programs did the same... how would anyone import/export their site lists?
- Raccoon
|
|
|
05-09-2003, 08:18 AM
|
#8
|
Super Duper
FlashFXP Beta Tester
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
|
well why would you want to import flashfxp sites to another client?
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
|
|
|
05-09-2003, 08:31 AM
|
#9
|
Senior Member
FlashFXP Beta Tester
Join Date: Dec 2002
Posts: 111
|
MxxCon Good point! :-)
Yes i agree on that too. Though the simple cypher seems to me like a false sence of security. Normal users think they're very well protected when they in fact are not even close.
But i get the point. :-)
/J-J
|
|
|
05-09-2003, 10:14 AM
|
#10
|
FlashFXP Developer
FlashFXP Administrator ioFTPD Beta Tester
Join Date: Oct 2001
Posts: 8,012
|
If you activate the Application Password Protection (APP) all of your data files will be encrypted using a strong 160bit encryption.
To activate APP, from FlashFXP, Sites > Security > Set Password.
When APP is enabled you will be prompted for a password each time FlashFXP is started.
All encryptions can be decrypted fairly easily unless there is a magic key (a hash) that only the user knows. Storing the key inside the exe or in a seperate file would only offer a false sense of security, as the data can be extracted and manipulated. This is where APP comes in, The user is forced to enter the password on startup.
You have to realize that FlashFXP must be able to decrypt the password to send it to the ftp server. Any decryption algorithm we use within our software can easily be duplicated.
I was never contacted regarding this security issue. The scheme used for site passwords was never intended to resist an attack where the attacker reverse engineered our encryption algorithm.
|
|
|
05-09-2003, 10:43 AM
|
#11
|
Disabled
FlashFXP Registered User ioFTPD Administrator
Join Date: Dec 2001
Posts: 2,230
|
If you're worried about your passwords getting into wrong hands, you should instal ffxp on encrypted partition.. (there's a free tool called PGPdisk that does it)
|
|
|
05-09-2003, 03:13 PM
|
#12
|
Junior Member
FlashFXP Registered User
Join Date: Oct 2001
Posts: 24
|
Quote:
Originally posted by dark0n3
If you're worried about your passwords getting into wrong hands, you should instal ffxp on encrypted partition.. (there's a free tool called PGPdisk that does it)
|
or just beat the crap out of anyone you see sitting at your desk trying to move something to the floppy disk
|
|
|
05-09-2003, 04:22 PM
|
#13
|
Super Duper
FlashFXP Beta Tester
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
|
after contacting SecurityFocus they updated their advisory page to show correct information about flashfxp
SecuriTeam have not yet updated their page..
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 11:05 PM.
|