Home Download Buy Blog Forum Support

Warning! SublimeText + sFTP

Warning! SublimeText + sFTP

Postby netzware on Sat Aug 03, 2013 8:25 am

Hello,

sFTP the plugin uploads the config file namens sftp-config.json. the config file includes ftp datas (username, host, password, port).
I have googled the file and I find sftp-config files with real ftp datas.

So please delete the file sftp-config.json from your server!

blog post: http://www.netzware.net/achtung-bei-sub ... nfig-json/ (german)
blog post2: http://www.sicherheit-online.org/437/su ... t-geboten/ (german)

PS: sry for my bad english :D
netzware
 
Posts: 2
Joined: Sat Aug 03, 2013 8:17 am

Re: Warning! SublimeText + sFTP

Postby iamntz on Sat Aug 03, 2013 9:00 am

Even better:

Code: Select all
# block access to some sensible files
<Files ~ "^sftp-config.json|.gitignore|.sass-cache|.htaccess|.git|node_modules">
  Order allow,deny
  Deny from all
</Files>


In your .htaccess file 8-)
iamntz
 
Posts: 918
Joined: Fri Apr 29, 2011 8:52 am
Location: Romania

Re: Warning! SublimeText + sFTP

Postby gregor.hoch on Sat Aug 03, 2013 12:15 pm

Ähm, this sounds pretty bad but I am not sure whether I can follow. I am using ST2 with SFTP so I have a number of sftp-config.json files. How do they get uploaded on which server? I only found them on my own computer and not on the server I am connecting to. Why should they end-up on github (that is what one of the German articles said)?

My sftp-config files generally do not contain a password because I log in though password-less SSH login. Does that solve the problem?

And can someone give a more detailed explanation about the '.htaccess' thing?

Thanks!
gregor.hoch
 
Posts: 144
Joined: Sat Oct 01, 2011 7:54 pm

Re: Warning! SublimeText + sFTP

Postby iamntz on Sat Aug 03, 2013 1:38 pm

@Gregor: the SFTP plugin will create the config file inside of the project folder. The plugin - AFAIK - will ignore the file and won't allow uploading.
However, if you upload the whole directory using another ftp app, things can go crazy.

The .htaccess thing will block the access to sensitive files & folders on your server, so even if the file is uploaded, won't be accessible. Sure this works only if you use Apache, but i'm pretty sure that other servers have equivalents to this.
iamntz
 
Posts: 918
Joined: Fri Apr 29, 2011 8:52 am
Location: Romania

Re: Warning! SublimeText + sFTP

Postby netzware on Sat Aug 03, 2013 3:46 pm

gregor.hoch wrote:How do they get uploaded on which server? I only found them on my own computer and not on the server I am connecting to.

The file is uploaded only sometimes. not always.

Github is an little example. I find this config files always on github repository. But not every developer enjoy github. so everyone can find the file on a server, maybe.
netzware
 
Posts: 2
Joined: Sat Aug 03, 2013 8:17 am

Re: Warning! SublimeText + sFTP

Postby wbond on Sat Aug 03, 2013 11:44 pm

Just to be clear - the plugin NEVER uploads the the config file - unless you explicitly ask for the file to be uploaded. So you have to open the file and execute "Upload file" or right click on the file and click "Upload". It should be pretty obvious to most users to not do that…

If you care about security, which you should, you should be using SFTP and SSH keys. FTP sends your password in the clear. SFTP without SSH keys requires that you either type in your password for every connection attempt, or you have it stored somewhere on disk. In the next release I am planning on offering an option or storing your configuration files in a separate location, and I have the intention of exploring integration with popular password vaults.

If you notice, the plugin was originally designed to just be SFTP, hence the name SFTP. I was not planning on supporting FTP due to the security issues related to it. The market spoke and demanded FTP support, so I added it. Just to reiterate, I highly recommend anyone using the plugin use SFTP with an SSH key.

Also, the author of that blog has contemptible security practices. Supposedly he crawled and emailed developers for hundreds of sites. However, he never even attempted to contact me to raise his concern or ask for a response. His behavior does not sound like much of a security "professional" to me.
wbond
 
Posts: 532
Joined: Mon Feb 28, 2011 5:33 am

Re: Warning! SublimeText + sFTP

Postby gregor.hoch on Sun Aug 04, 2013 6:36 am

Thanks, wbond. After understanding what the "problem" is, I agree that SFTP is not to blame. Looking forward to the next version with ST3 support!
gregor.hoch
 
Posts: 144
Joined: Sat Oct 01, 2011 7:54 pm

Re: Warning! SublimeText + sFTP

Postby fyneworks on Thu Sep 26, 2013 9:45 am

The functionality to store the ftp settings elsewhere would be ideal. Personally, I'd like to store it above the root. So a relative path would be great!
fyneworks
 
Posts: 1
Joined: Thu Sep 26, 2013 9:41 am

Re: Warning! SublimeText + sFTP

Postby sme on Tue Dec 17, 2013 3:27 am

This issue is actually very, very serious.

When you create an STx project and you want FTP capabilities, you must create a sftp-config.json in a local folder that is the equivalent of the document root on the server. Each, any and every time you make a change to this sftp-config.json, it gets UPLOADED TO THE SERVER.

There is no way around this security hole given the current structure of the SFTP Plug-in.

The solution needs to be that the sftp-config.json gets stored above the document root.

Ideally, we would be able to store this file in the same place that the server credential's copy of the sftp-config.json get stored so we do not need to have 2 copies of it on our local machine.

Currently, on a Win7 machine, the sftp server file also exists at C:\Users\{username}\AppData\Roaming\Sublime Text 3\Packages\User\sftp_servers

The server configuration file needs to exist once and in a local folder that is not a compromise to site security.

There is no reason the sftp-config.json file needs to reside on the server. I saw thread posts above on preventing browser access via .htaccess file and apache directives. Essentially, they miss the point that having this open text file floating around on the server with FTP credentials is serious business. The root problem needs to be addressed -- not server-side patchwork to make up for the plug-in's shortcoming.
sme
 
Posts: 8
Joined: Tue Dec 17, 2013 3:17 am

Re: Warning! SublimeText + sFTP

Postby wbond on Tue Dec 17, 2013 4:09 am

I am aware of the feature request to store configuration in a different location that the local root of your project. It is on the list for the next feature release. I have also been working on the integration of various operating system password vaults to use for storing passwords in.

As I explained above - with the default configuration, there is no security hole. The sftp-config.json is ignored unless the user explicitly opens the file, or right-clicks on it and uploads it.

It certainly is possible that if you use the FTP protocol and use another FTP program and upload your credentials file to the server it will be visible. I would recommend against doing so. If you use the SFTP package and don't blow away the default ignore settings, this won't be a problem. If instead you insist on using another FTP program and uploading a whole folder at a time, you have a few choices:

  • Use the SFTP protocol and an SSH key so that your password is not stored in sftp-config.json. The FTP protocol is a bad idea anyway since it sends your credentials in the clear.
  • Set your other FTP program to ignore sftp-config.json.
  • Use a separate checkout of your code with other editors/FTP programs.
  • Don't set the root of your project as your document root. Many projects contain other passwords in them - having your project root be one folder above your document root is a good idea.
  • Stop using the SFTP package until the next version comes out
wbond
 
Posts: 532
Joined: Mon Feb 28, 2011 5:33 am

Next

Return to General Discussion

Who is online

Users browsing this forum: Google [Bot], schlamar and 33 guests