Re: Waterloo / VMShare tapes for VM/CE?
|
FTP has been removed from macOS as well as telnet.
Joe
Dave Wade wrote:
> Gentles,
> There was, at one time, issues with FileZilla and security,
Which, after looking at the referenced CVE, unless I'm misunderstanding things (which wouldn't be the first time!), I call bullshit on. The write of the exploit on :
? *
specifically states:
? ?"Attackers need to compromise the victim device
? ? to exploit this Vulnerability."
and if your device is already compromised, as we all know, anything goes! So basically what they're saying is, you need to compromise the user's system first and THEN you can steal the user's FTP id and password!
Well DUH!! :)
But from what I'm reading, this so-called FileZilla <cough!> "exploit" <cough!> can only be executed ON AN ALREADY COMPROMISED SYSTEM (but does *not* otherwise provide any means for the attacker to compromise the victim's computer in the first place!).
So it doesn't sound like much of a FileZilla vulnerability to me.
Yes, I agree that account ids and their associated passwords should most certainly *not* be kept in anywhere in memory once they've been used (and especially not in clear text!). I agree with that. So yes, FileZilla could certainly do with some better handling in that regard.
But to call this a FileZilla vulnerability that users should be seriously concerned about? Nah. I ain't worried about it, and I doubt most other FileZilla users are either. The only person that seems concerned about it is the person that discovered the so-called "vulnerability".
> so I always suggest that folks do their own research
> and check the current situation before installing it.
THAT is *always* good advice.
> There is still some info on Reddit, but discussion on
> the official FileZilla forums was removed by the owner
> of FileZilla.
Oh? I wasn't aware of that. Can the Internet Archive Wayback Machine maybe be used to retrieve the original discussion? I find such removal to be highly unusual and quite concerning. UNLESS... maybe the discussion contained information on how to exploit this so called vulnerability? Or otherwise contained sensitive information the forum owner did not want to make public? (Such as userids and passwords or some such?)
What I'm getting at here is, I seriously doubt the FileZilla people are trying to cover anything up.
> Those with Windows may wish to note that "explorer", that
> is the tool you use to explore the local filestore still
> supports FTP but you may need to jump through hoops to get
> it to work on Windows/11
Windows's FTP client has always sucked.
--
"Fish" (David B. Trout)
Software Development Laboratories
mail: fish@...
|
