|
|
|
Rank: Guest
Groups:
Joined: 8/10/2009
Posts: 732
|
Hi, I don´t know if I should call this a bug, but it certainly should be considered "risky" for those using the FTP upload option.
I´m using the free version and I noticed that when I set up the FTP account, if I put a wrong password and test the connection there´s an error message showing the wrong password
Request: PASS 123456 (example)
Response: 530 Authentification failed, sorry.
The "bug" is that if I put the right password, anyone with access to the back up software is allowed to know my FTP pass, and I don´t think that should happen.
Example:
Let´s say my pass is ABC
so someone else that has access to the DB and PC adds a character to the password field (***1, for example)
The message would say:
Request: PASS ABC1
Response: 530 bla bla bla....
What concerns me is that there are many people who may be able to handle the DB, but that´s no reason for any of them to know the FTP account.
So could you please check this issue?
Or change that message just to "Wrong password" or whatever.
Thanks in advanced
|
|
|
|
Rank: Administration
Groups: Administrators
Joined: 8/10/2009
Posts: 368
|
Thank you for reporting this. We do encrypt all passwords in our *.jobx file, but it seems it is exposed in this case. We'll try to fix it soon. Thanks again.
|
|
|
|
Rank: Administration
Groups: Administrators
Joined: 8/12/2009
Posts: 271
|
We've just fixed this vulnerability in version 5.7.1 of SqlBackupAndFtp. Please check.
|
|
|
|
Rank: Guest
Groups:
Joined: 8/10/2009
Posts: 732
|
mikeshilov wrote:We've just fixed this vulnerability in version 5.7.1 of SqlBackupAndFtp. Please check. Thanks a lot, i'll give it a try ^^
|
|
|
|
|
