Old 06-23-2010, 06:35 AM   #1
Chronwin
Junior Member
FlashFXP Registered User
 
Join Date: Nov 2009
Location: In my office :(
Posts: 6
Exclamation Encrypt Plain Text Password files - Security Issue

On June 16, 2010 I found that two of my hosting servers were compromised. Malicious JavaScript had been added to the index files on 4 different business websites. I restored and recovered immediately.

After digging around for a long time, I came across this thread: 10-ftp-clients-malware-steals-credentials-from
This is what happened to me.

PLEASE change FlashFxP so that the site manager does not save credentials in a plain text file. This is urgent and should become priority #1 because this maleware is still undetectable and seems to be increasing in activity.

FlashFxP MUST come off this list in order for it to continue being a safe choice for IT professionals.

Thank You
Chronwin is offline  
Old 06-23-2010, 07:10 AM   #2
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

Hello,

FlashFXP does not save passwords in plain text, however since the encryption is universal it makes it very weak by default, the solution is to use Application password protection (From the main menu > Sites > Security > Set Password) this will encrypt all of your data files using a strong encryption method. By using this feature you will be prompted for your password each time you start FlashFXP.
bigstar is offline  
Old 06-23-2010, 07:22 AM   #3
Chronwin
Junior Member
FlashFXP Registered User
 
Join Date: Nov 2009
Location: In my office :(
Posts: 6
Default

WOW!
I can't believe I overlooked that.
Thank you for being so thorough in your programming, and getting back so quick.

I can't remember, does the default install ask you to set a pass?
Maybe it should insist on it in future releases???
Chronwin is offline  
Old 06-23-2010, 07:47 AM   #4
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

FlashFXP had this functionality since at least 2002
people just don't read help files anymore
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Closed Thread

Tags
login, malware, passwords, plain text, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:22 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)