FTPS SEQURITY leak!

Bug reports will be moved here when the described bug has been fixed

Moderators: white, Hacker, petermad, Stefan2

Post Reply
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

FTPS SEQURITY leak!

Post by *Isica »

When the "SSL/TLS" option enabled on the TC FTP connection setting, but a server doesn't accept "AUTH TLS" command, then TC immediately QUIT from this connection, and ask the user confirmation to reconnect.
When a user confirmed this reconnec, the TC, without any warnings, try to estabilish an UNSAFE connection (what compromises the user password!)
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS SEQURITY leak!

Post by *ghisler(Author) »

Hmm, but it asks for confirmation if the connection fails.
Author of Total Commander
https://www.ghisler.com
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Re: FTPS SEQURITY leak!

Post by *Isica »

Confirmation of what? Yes, reconnnect confirmation is requested.
But there is no any word that the session will be UNSAFE! At that time, how exactly this moment should be emphasized as much as possible, i.e. the message should be MB_ICONWARNING + MB_DEFBUTTON2 (+ MB_YESNO), and its tex should clearly indicate that the password will be transmitted in clear text!

PS
If you dig a little deeper, then we can assume that such security leaks can come out somewhere else.
1:----------
1:Connect to: (08.12.2019 12:06:04)
1:hostname=***
1:username=***
1:startdir=
1:220 FTP Server ready.
1:AUTH TLS
1:500 AUTH not understood
1:AUTH SSL
1:500 AUTH not understood
1:QUIT
That is, TC itself breaks the connection, and then screams that it was lost :) Well, this is a trifle.
Worse, the reconnect procedure ignores security settings, and this procedure is probably used elsewhere.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS SEQURITY leak!

Post by *ghisler(Author) »

This was fixed since beta 9, please test with beta 9 or 10!

09.12.19 Fixed: FTP connect: If AUTH TLS/SSL fails, retry with it enabled if the user confirms to retry (32/64)
Author of Total Commander
https://www.ghisler.com
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS SEQURITY leak!

Post by *ghisler(Author) »

Could someone please confirm this fix, please?
Author of Total Commander
https://www.ghisler.com
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS SEQURITY leak!

Post by *ghisler(Author) »

Since no one has complained, and it works in my own tests, I'm moving this to fixed bugs now.
Author of Total Commander
https://www.ghisler.com
Post Reply