Exposure of Proxy password in log files

ericvolness

2008-07-23 14:58:53

We have a Blue Coat proxy server and we are using USER@Host FireID Proxy ID to connect via the authenticating proxy.

We have ticked the box for user login and password.

When we do this, the connection works, but the user credentials are returned as CLEAR TEXT in the SmartFTP log.

We are currently running v2.0.996.35 and some v.1 software in the environment.

We have tested the latest v3 build but the problem remains in v3.

Oddly, in the v1 build the password is returned as PASS (hidden)

How can we resolve this issue?

[09:54:40] SmartFTP v2.0.996.35
[09:54:40] Resolving host name "PROXYIPADDRESS"
[09:54:40] Connecting to PROXYIP Port: 21
[09:54:40] Connected to ftp.sunet.se.
[09:54:40] 220 Blue Coat FTP Service
[09:54:40] USER anonymous@ftp.sunet.se USERID
[09:54:40] 331 Enter password.
[09:54:40] PASS (hidden)
[09:54:40] 332 Enter proxy password.
[09:54:40] ACCT CLEARTEXTPASSWORDHERE
[09:54:41] 230 Any password will work
[09:54:41] SYST
[09:54:41] 215 UNIX Type: L8
[09:54:41] TYPE I
[09:54:41] 200 Command okay.
[09:54:41] REST 0
[09:54:41] 350 Restarting at 0
[09:54:41] PWD
[09:54:41] 257 "/" is your current location
[09:54:41] TYPE A
[09:54:41] 200 Command okay.
[09:54:41] PASV
[09:54:42] 227 Entering Passive Mode (PROXYIP,10,71)
[09:54:42] Opening data connection to PROXYIP Port: 2631
[09:54:42] LIST -la
[09:54:42] 150 File status okay; about to open data connection.
[09:54:42] 682 bytes transferred. (1.14 KB/s) (579 ms)
[09:54:42] 226 Transfer complete, closing data connection.

mb

2008-07-23 15:07:59

Changed. Fix will be available in the next build (1-3 days).

Regards,
Mat

mb

2008-07-24 21:45:40

The new version is now available at:
https://www.smartftp.com/download