Re: Windows Explorer may expose FTP passwords in plaintext

From: "Brian Knittel" <brian@xxxxxxxxxxxxxxx>
Date: Mon, 21 Jul 2008 17:07:15 -0700

Thanks, Shenan for the links. I'd done some googling on this before I posted
the original question and didn't find these.

So, it's a known, long-standing issue. And it's mind boggling that the
response is "besides, no body can see it." (Except maybe someone who walks
up and looks over your shoulder at your monitor, but hey).

Its interesting to note that Internet Explorer does not display the
password. Only Windows Explorer.

Anway, thanks. I'll see if I can find someone up at Redmond who cares about
this sort of stuff.

It is not like this discussion is new. ;-)

Maybe where the password is displayed is (maybe) - but I am sure it has to
do with 'how the browser has to pass the credentials...' - so it may be a
direct result of the protocol rules of passing things in clear/plain text.

Internet Explorer 5, Netscape 4.61 Reveal FTP User Names and Passwords
http://www.astonisher.com/archives/bugnet/alerts/bugalert_81199.html
(1999)

Internet Explorer discloses FTP access credentials
http://www.heise-online.co.uk/security/Internet-Explorer-discloses-FTP-access-credentials--/news/94349
(2007)

Internet Explorer and Your Web Site's Privacy
http://blog.washingtonpost.com/securityfix/2007/08/ftp_files_expose_web_site_cred.html
(2007)

How to Enter FTP Site Password in Internet Explorer
http://support.microsoft.com/kb/135975
(OLD - since it mentioned Windows 95/98 - but last updated in 2007)

"NOTE: The user name and password you enter in the Login As dialog box are
passed through as plain text and may be displayed in the Internet Explorer
title bar or status bar while you are connected to the site.

Note that this is not a secure method of logging on, as the password is
viewable in plain text. If you require additional security, use the FTP
client (Ftp.exe) that is included in your version of Windows 95 or Windows
98."

Does FireFox do it?
Opera?
Any other browsers?

Or do some browsers not even do FTP because of the weak security and how
they would have to pass the username/password?

--
Shenan Stanley
MS-MVP

References:
- Windows Explorer may expose FTP passwords in plaintext
  - From: Brian Knittel
- Re: Windows Explorer may expose FTP passwords in plaintext
  - From: Brian Knittel
- Re: Windows Explorer may expose FTP passwords in plaintext
  - From: Shenan Stanley

Prev by Date: Re: FIX for ZoneAlarm & KB951748 issue released
Next by Date: Re: POSSIBLE HACK...PLEASE, PLEASE HELP!
Previous by thread: Re: Windows Explorer may expose FTP passwords in plaintext
Next by thread: Re: Windows Explorer may expose FTP passwords in plaintext
Index(es):
- Date
- Thread

Relevant Pages

Re: 2003 FTP with IIS
... > Passive FTP is compatible with the Windows XP Service Pack 2 firewall. ... the default in Windows XP is active FTP and installing Service ... > Internet Explorer by default. ...
(microsoft.public.inetserver.iis)
[Full-disclosure] Rapid7 Advisory R7-0032: Microsoft Internet Explorer FTP Command Injection
... Microsoft Internet Explorer FTP Command Injection Vulnerability ... malicious files to an FTP server under the attacker's control, ...
(Full-Disclosure)
Re: Save password problem in ftp
... Use Windows Explorer i/o Internet Explorer without the username,password ... The ftp stuff has changed with IE7 in order to separate the web browser from ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Windows Explorer may expose FTP passwords in plaintext
... When you are viewing the remote FTP directory using Windows ... drag a file from the FTP directory onto your desktop. ... Internet Explorer 5, Netscape 4.61 Reveal FTP User Names and Passwords ... If you require additional security, ...
(microsoft.public.security)
Passive Transfer problem with Browser Client to FTP Server?
... IIS 6 (Windows 2003 Standard Server) ... FTP server via Internet Explorer 6.0 I get this after ...
(microsoft.public.inetserver.iis.ftp)