Encrypt Plain Text Password files - Security Issue

Chronwin · 06-23-2010, 06:35 AM

On June 16, 2010 I found that two of my hosting servers were compromised. Malicious JavaScript had been added to the index files on 4 different business websites. I restored and recovered immediately.

After digging around for a long time, I came across this thread: 10-ftp-clients-malware-steals-credentials-from
This is what happened to me.

PLEASE change FlashFxP so that the site manager does not save credentials in a plain text file. This is urgent and should become priority #1 because this maleware is still undetectable and seems to be increasing in activity.

FlashFxP MUST come off this list in order for it to continue being a safe choice for IT professionals.

Thank You

bigstar · 06-23-2010, 07:10 AM

Hello,

FlashFXP does not save passwords in plain text, however since the encryption is universal it makes it very weak by default, the solution is to use Application password protection (From the main menu > Sites > Security > Set Password) this will encrypt all of your data files using a strong encryption method. By using this feature you will be prompted for your password each time you start FlashFXP.

Chronwin · 06-23-2010, 07:22 AM

WOW!
I can't believe I overlooked that.
Thank you for being so thorough in your programming, and getting back so quick.

I can't remember, does the default install ask you to set a pass?
Maybe it should insist on it in future releases???

MxxCon · 06-23-2010, 07:47 AM

FlashFXP had this functionality since at least 2002

people just don't read help files anymore