About FileZilla
FileZilla is among the most popular File Transfer Protocol (FTP) applications. Launched in 2001, it’s free, open source, and runs on Linux, Windows, and Mac systems. FileZilla Server enables local or remote file storage, and the FileZilla Client features a simple graphical interface for file management tasks such as uploading, downloading, renaming, and sharing files.
Audit Description
OTF’s Security Lab partner Subgraph performed a “white-box” audit (a form of testing in which auditors have complete knowledge of the item being tested) of the FileZilla Server between April and September of 2024. The audit included coverage of some new security enhancements and focused on the web user interface (UI) and front-end components, and followed on an earlier Subgraph review of FileZilla’s core FTP server functions in 2022.
The 2024 audit included simulated attacks, tactical code reviews, and manual testing of the deployed server. Testing covered both authenticated and non-authenticated scenarios, using standard browsers and manual clients. During testing, the FileZilla server was managed using the administration GUI (a graphical user interface that allows administrators to manage and control a system, application, or website).
Scope
Subgraph’s 2024 audit encompassed FileZilla’s general functional components and basic protocol implementation, the front-end of the web UI, and the web server implementation. It also tested other key features, such as file sharing and the recent addition of PKCS#11 for server-side storage of private keys. The audit did not cover the FileZilla Client or mitigations for Denial of Service (DOS) attacks.
Findings
Auditors detected two security vulnerabilities—one flagged as “medium” and the other as “low” severity:
- Medium-Severity: In one instance, testing revealed a vulnerability to a DOS attack if too many authentication requests are sent simultaneously to the FileZilla Server’s HTTP server. This was possible for attackers regardless of whether the username and password used were valid or invalid. The auditors noted that “it does not appear possible to exploit this issue to cause memory corruption and remote code execution.”
- Low-Severity: Testing showed that when FileZilla’s built-in share function is used to share files or folders with external users, the UI does not provide a way to remove shared links if the creator does not set the optional password and/or expiration values. To disable the link, users have to delete, rename, or otherwise move the shared item. The risk is that users might accidentally share more sensitive folders or files without an expiration date for the link granting access—leaving the content accessible indefinitely.
There is also no place in the UI where users can track or review their previous shares. Without a record of when and how a share is accessed, users may be unaware of unauthorized access.
The auditors provided possible fixes, including an option to view, manage or revoke shares, logging or notifications when shared links are accessed, or the option for single-use shares that automatically expire after being accessed.
The report notes more minor issues, such as performance variances in the web front-end between Chrome and Firefox, and the use of cleartext for the stored PIN that accesses the Hardware Security Module to manage private keys for server certificates.
Regardless of the DOS attack scenario mentioned above, the audit found that FileZilla had a “well-configured setup for handling authentication cookies,” with a “strong focus on mitigating common security risks such as XSS, CSRF, and token theft.”
Remediation
Auditors confirmed that both issues have been fixed.