FTPS SEQURITY leak!

Please report only one bug per message!

Moderators: sheep, Hacker, Stefan2, white

Post Reply
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

FTPS SEQURITY leak!

Post by Isica »

When the "SSL/TLS" option enabled on the TC FTP connection setting, but a server doesn't accept "AUTH TLS" command, then TC immediately QUIT from this connection, and ask the user confirmation to reconnect.
When a user confirmed this reconnec, the TC, without any warnings, try to estabilish an UNSAFE connection (what compromises the user password!)

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 38783
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS SEQURITY leak!

Post by ghisler(Author) »

Hmm, but it asks for confirmation if the connection fails.
Author of Total Commander
http://www.ghisler.com

Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Re: FTPS SEQURITY leak!

Post by Isica »

Confirmation of what? Yes, reconnnect confirmation is requested.
But there is no any word that the session will be UNSAFE! At that time, how exactly this moment should be emphasized as much as possible, i.e. the message should be MB_ICONWARNING + MB_DEFBUTTON2 (+ MB_YESNO), and its tex should clearly indicate that the password will be transmitted in clear text!

PS
If you dig a little deeper, then we can assume that such security leaks can come out somewhere else.
1:----------
1:Connect to: (08.12.2019 12:06:04)
1:hostname=***
1:username=***
1:startdir=
1:220 FTP Server ready.
1:AUTH TLS
1:500 AUTH not understood
1:AUTH SSL
1:500 AUTH not understood
1:QUIT
That is, TC itself breaks the connection, and then screams that it was lost :) Well, this is a trifle.
Worse, the reconnect procedure ignores security settings, and this procedure is probably used elsewhere.

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 38783
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS SEQURITY leak!

Post by ghisler(Author) »

This was fixed since beta 9, please test with beta 9 or 10!

09.12.19 Fixed: FTP connect: If AUTH TLS/SSL fails, retry with it enabled if the user confirms to retry (32/64)
Author of Total Commander
http://www.ghisler.com

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 38783
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS SEQURITY leak!

Post by ghisler(Author) »

Could someone please confirm this fix, please?
Author of Total Commander
http://www.ghisler.com

Post Reply