Weak password encryption

[PeNGuiN]

http://www.securityfocus.com/bid/7499/info/

Is this indeed the case? If so, perhaps you could use the SSL DLLs to do a nice 128-bit AES encrypt instead

[J-J]

This is, to my knowledge, the case.

Decrypting the user passwords is an easy task unfortunately.

(Unless the algo changed - but i doubt it)

Let's hope the encryption will be made stronger sometime :-)

[Hetfield]

For this Bigstar made the application protection. That's much stronger than the standard asteriks.

[MxxCon]

yup.
regular encryption is not really an encryption but rather text cypher.
but once application level password is enabled you might as well try to do social engeneering becuase it's virtually impossible to "crack" such password.

which makes me wonder if this Dvdman@l33tsecurity.com of L33tsecurity 2003 even bothered to contact Bigstar about this, or use FlashFXP to the full extent, as it is customary when finding and reporting vulnerabilities.
plus he didn't "discover" this. password decrypters for flashfxp existed way back in v1.2 days

[J-J]

Yes. Though i still wonder why the passwords aren't encrypted using a heavy algo. The algo is obviously there (since it's used in other places in the program). Why not use it on user passwords also?

Just a thought.

/J-J

[MxxCon]

becuase it's up to the user to deside. flashfxp gives them the option of using application level password which also encrypt sites.dat or regular text cypher.

[Raccoon]

For years, people like me have been pushing Bigstar to make the passwords plaintext in the sites.dat, so other programs can add/remove/process the sites easier via script.

Besides, if the passwords were truely encrypted to where nothing but FlashFXP could read them, as a default option, and other FTP programs did the same... how would anyone import/export their site lists?

- Raccoon

[MxxCon]

well why would you want to import flashfxp sites to another client?

[J-J]

MxxCon Good point! :-)

Yes i agree on that too. Though the simple cypher seems to me like a false sence of security. Normal users think they're very well protected when they in fact are not even close.

But i get the point. :-)

/J-J

[bigstar]

If you activate the Application Password Protection (APP) all of your data files will be encrypted using a strong 160bit encryption.

To activate APP, from FlashFXP, Sites > Security > Set Password.

When APP is enabled you will be prompted for a password each time FlashFXP is started.

All encryptions can be decrypted fairly easily unless there is a magic key (a hash) that only the user knows. Storing the key inside the exe or in a seperate file would only offer a false sense of security, as the data can be extracted and manipulated. This is where APP comes in, The user is forced to enter the password on startup.

You have to realize that FlashFXP must be able to decrypt the password to send it to the ftp server. Any decryption algorithm we use within our software can easily be duplicated.

I was never contacted regarding this security issue. The scheme used for site passwords was never intended to resist an attack where the attacker reverse engineered our encryption algorithm.

[darkone]

If you're worried about your passwords getting into wrong hands, you should instal ffxp on encrypted partition.. (there's a free tool called PGPdisk that does it)

[WndrBr3d]

Quote:

Originally posted by dark0n3
If you're worried about your passwords getting into wrong hands, you should instal ffxp on encrypted partition.. (there's a free tool called PGPdisk that does it)

or just beat the crap out of anyone you see sitting at your desk trying to move something to the floppy disk

[MxxCon]

after contacting SecurityFocus they updated their advisory page to show correct information about flashfxp
SecuriTeam have not yet updated their page..