Go Back   FlashFXP Forums > > > >

Bug Reports Report bugs here. (non-beta releases only)

 
 
Thread Tools Display Modes
Old 05-09-2003, 04:06 AM   #1
PeNGuiN
Member
FlashFXP Beta Tester
 
Join Date: Apr 2002
Posts: 69
Default Weak password encryption

http://www.securityfocus.com/bid/7499/info/

Is this indeed the case? If so, perhaps you could use the SSL DLLs to do a nice 128-bit AES encrypt instead
PeNGuiN is offline  
Old 05-09-2003, 04:08 AM   #2
J-J
Senior Member
FlashFXP Beta Tester
 
Join Date: Dec 2002
Posts: 111
Default

This is, to my knowledge, the case.

Decrypting the user passwords is an easy task unfortunately.

(Unless the algo changed - but i doubt it)

Let's hope the encryption will be made stronger sometime :-)
J-J is offline  
Old 05-09-2003, 04:28 AM   #3
Hetfield
Senior Member
FlashFXP Scripter
 
Join Date: Nov 2002
Posts: 334
Default

For this Bigstar made the application protection. That's much stronger than the standard asteriks.
Hetfield is offline  
Old 05-09-2003, 07:38 AM   #4
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

yup.
regular encryption is not really an encryption but rather text cypher.
but once application level password is enabled you might as well try to do social engeneering becuase it's virtually impossible to "crack" such password.

which makes me wonder if this Dvdman@l33tsecurity.com of L33tsecurity 2003 even bothered to contact Bigstar about this, or use FlashFXP to the full extent, as it is customary when finding and reporting vulnerabilities.
plus he didn't "discover" this. password decrypters for flashfxp existed way back in v1.2 days
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 05-09-2003, 07:43 AM   #5
J-J
Senior Member
FlashFXP Beta Tester
 
Join Date: Dec 2002
Posts: 111
Default

Yes. Though i still wonder why the passwords aren't encrypted using a heavy algo. The algo is obviously there (since it's used in other places in the program). Why not use it on user passwords also?

Just a thought.

/J-J
J-J is offline  
Old 05-09-2003, 07:47 AM   #6
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

becuase it's up to the user to deside. flashfxp gives them the option of using application level password which also encrypt sites.dat or regular text cypher.
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 05-09-2003, 07:52 AM   #7
Raccoon
Senior Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: Oct 2001
Posts: 136
Default

For years, people like me have been pushing Bigstar to make the passwords plaintext in the sites.dat, so other programs can add/remove/process the sites easier via script.

Besides, if the passwords were truely encrypted to where nothing but FlashFXP could read them, as a default option, and other FTP programs did the same... how would anyone import/export their site lists?

- Raccoon
Raccoon is offline  
Old 05-09-2003, 08:18 AM   #8
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

well why would you want to import flashfxp sites to another client?
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 05-09-2003, 08:31 AM   #9
J-J
Senior Member
FlashFXP Beta Tester
 
Join Date: Dec 2002
Posts: 111
Default

MxxCon Good point! :-)

Yes i agree on that too. Though the simple cypher seems to me like a false sence of security. Normal users think they're very well protected when they in fact are not even close.

But i get the point. :-)

/J-J
J-J is offline  
Old 05-09-2003, 10:14 AM   #10
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

If you activate the Application Password Protection (APP) all of your data files will be encrypted using a strong 160bit encryption.

To activate APP, from FlashFXP, Sites > Security > Set Password.

When APP is enabled you will be prompted for a password each time FlashFXP is started.

All encryptions can be decrypted fairly easily unless there is a magic key (a hash) that only the user knows. Storing the key inside the exe or in a seperate file would only offer a false sense of security, as the data can be extracted and manipulated. This is where APP comes in, The user is forced to enter the password on startup.

You have to realize that FlashFXP must be able to decrypt the password to send it to the ftp server. Any decryption algorithm we use within our software can easily be duplicated.

I was never contacted regarding this security issue. The scheme used for site passwords was never intended to resist an attack where the attacker reverse engineered our encryption algorithm.
bigstar is offline  
Old 05-09-2003, 10:43 AM   #11
darkone
Disabled
FlashFXP Registered User
ioFTPD Administrator
 
darkone's Avatar
 
Join Date: Dec 2001
Posts: 2,230
Default

If you're worried about your passwords getting into wrong hands, you should instal ffxp on encrypted partition.. (there's a free tool called PGPdisk that does it)
darkone is offline  
Old 05-09-2003, 03:13 PM   #12
WndrBr3d
Junior Member
FlashFXP Registered User
 
Join Date: Oct 2001
Posts: 24
Thumbs up

Quote:
Originally posted by dark0n3
If you're worried about your passwords getting into wrong hands, you should instal ffxp on encrypted partition.. (there's a free tool called PGPdisk that does it)
or just beat the crap out of anyone you see sitting at your desk trying to move something to the floppy disk
WndrBr3d is offline  
Old 05-09-2003, 04:22 PM   #13
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

after contacting SecurityFocus they updated their advisory page to show correct information about flashfxp
SecuriTeam have not yet updated their page..
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
 

Tags
aes, dlls, encrypt, nice, ssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:05 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)