漏洞描述
FileZilla是一款Windows平台的开放源码FTP/SFTP客户端。 FileZilla将配置设置保存在XML文件或Windows注册表中,具体取决于安装时用户的偏好。但任何一种保存方式都是将除口令以外的配置设置以明文保存的,而口令是以很弱的XOR加密保存的,很容易恢复。XOR加密方法总是使用相同的硬编码加密密钥,任何人都可以分析应用程序的源码找到密钥。注意:这个漏洞厂商存在争议。
FileZilla FTP客户端硬编码密钥漏洞
PoC代码
暂无相关漏洞推荐
- CVE-2011-2523: VSFTPD 2.3.4 - Backdoor Command Execution
- (CVE-2010-20103)ProFTPD 1.3.3c后门导致远程代码执行漏洞
- Wing FTP Server认证绕过导致远程代码执行(CVE-2025-47812)
- POC CVE-2025-54309: CrushFTP - Authentication Bypass Race Condition
- POC CVE-2019-19368: Rumpus FTP Web File Manager 8.2.9.1 - Cross-Site Scripting
- POC CVE-2020-27735: Wing FTP 6.4.4 - Cross-Site Scripting
- POC CVE-2022-0864: UpdraftPlus < 1.22.9 - Cross-Site Scripting
- POC CVE-2023-43177: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
- POC CVE-2024-4040: CrushFTP VFS - Sandbox Escape LFR
- POC CVE-2025-31161: CrushFTP - Authentication Bypass
- POC CVE-2025-47812: Wing FTP Server <= 7.4.3 - Remote Code Execution
- POC CVE-2025-47813: Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
- POC CVE-2011-2523: VSFTPD 2.3.4 - Backdoor Command Execution