Introduction

This bounty program is for the FileZilla Client, FileZilla Server and the libfilezilla library

Disclosure Policy

• Follow HackerOne's disclosure guidelines.
• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Please provide detailed reports with reproducible steps demonstrating a plausible exploitation scenario, if the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• The project maintainers have final decision on which issues constitute security vulnerabilities.

Exclusions

Beware: We do not accept submissions created using an AI

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) against anybody associated with the FileZilla project
• Any physical attempts against the property of the FileZilla project and its members.

Scope

The bug bounty program will test only:

• The fully free open source version of the FileZilla Client as found on https://filezilla-project.org/download.php?type=client&show_all=1 and the source code repository described on https://filezilla-project.org/sourcecode.php. Other versions of FileZilla are not in the scope of this bounty program.
• The fully free open source version of the FileZilla Server as found on https://filezilla-project.org/download.php?type=server&show_all=1
• libfilezilla as available from https://lib.filezilla-project.org/download.php

All reported bugs must have a security impact. If you encounter ordinary bugs without security impact, please report them on https://trac.filezilla-project.org/

Out of Scope

• Outdated versions of the software
• Services running on the filezilla-project.org and filezillapro.com domains and their subdomains
• Exploits which rely on the assumption that the attacker already has access to the user account FileZilla is run under on the victims system.
• "Layer 8" issues. Always assume the user is making informed decisions if he is given the information to do so.

The following components are also explicitly not in the scope:

• The src/storj sub-directory of FileZilla Client and the libstorj dependency
• The src/putty sub-directory of FileZilla Client contains a modified code from PuTTY. Issues inherited from PuTTY are not in scope. Note: Issues in the modifications specific to FileZilla still are in scope.

Submission guidelines

While FileZilla products are cross-platform, vulnerabilities are to be evaluated given contemporary computer architectures.

Submissions must include either:

• We do not accept submissions created using an AI
• A detailed explanation explaining the vulnerability based on the source code
• Simple steps to reproduce the vulnerability without requiring the reproducing party to use specialized tools
• A proof-of-concept (PoC)

FileZilla Client technical overview

Building FileZilla

FileZilla uses the GNU autotools as build system.

It, as well as almost all its dependencies, can be built using the familiar configure && make && make install trinity.

The following two guides have recently been updated and can be used to build FileZilla:

• Debian and derived: https://wiki.filezilla-project.org/Compiling_FileZilla_3_and_Getting_Dependencies_on_Linux
• Windows: https://wiki.filezilla-project.org/Cross_Compiling_FileZilla_3_for_Windows_under_Ubuntu_or_Debian_GNU/Linux

Dependencies

FileZilla Client directly depends on the following libraries:

• libfilezilla: base library for many things such as networking, file i/o, string utilities and the main event system
• wxWidgets: GUI framework
• GnuTLS (via libfilezilla): TLS
• Nettle (via libfilezilla): Various cryptographic functions used e.g. for the master password functionality
• pugixml: DOM-style XML parser. XML is used to store settings

Architecture

FileZilla is organized in different components. The most important components are, identified by subdirectory:

• src/engine: The protocol implementations
• src/engine/ftp: FTP specific functionality
• src/engine/sftp: SFTP specific functionality, wraps around fzsftp
• src/engine/http: Everything specific to HTTP functionality
• src/interface: The user interface and controlling logic such as the transfer queue
• src/putty: Source for fzsftp, a heavily modified version of PuTTY's psftp
• src/fzshellext: The Windows shell extension to facilitate Drag&drop from Explorer into FileZilla.

Interesting places

Due to their importance or complexity, we think these parts of the code warrant a closer look:

FileZilla:

• src/engine/directorylistingparser.cpp: The directory listing parser in
• src/interface/updater.cpp: The update mechanism
• src/engine/http/request.cpp: The HTTP state machine capable of request pipelining

libfilezilla

• tls_layer_impl::verify_certificate in lib/tls_layer_impl.cpp: Certificate verification
• lib/encryption.cpp: The asymmetric encryption scheme used for the master password functionality

FileZilla Server technical overview

Building FileZilla Server

Similar to building FileZilla Client. If you are able to build the client, you are able to build the server.

Dependencies

FileZilla Serverdirectly depends on the following libraries:

• libfilezilla: base library for many things such as networking, file i/o, string utilities and the main event system
• wxWidgets: GUI framework
• GnuTLS (via libfilezilla): TLS
• Nettle (via libfilezilla): Various cryptographic functions used
• pugixml: DOM-style XML parser. XML is used to store settings

Architecture

FileZilla Server is organized in different components. It comes with in the form of two programs: The FTP server service itself, and a separate administration user interface.

The most important components are, identified by subdirectory:

• src/filezilla, src/server: The server functionality itself.
• src/gui: The administration user interface

Rewards

Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity.

Specific to FileZilla and libfilezilla

Specific to FileZilla FileZilla Server

Examples for vulnerabilities

Critical severity bugs

• Remote Code Execution over an unauthenticated channel

High severity bugs

• Code Execution over an authenticated channel
• Information leaks of private data such as file contents

Medium severity bugs

• Remotely triggered crashes
• Remotely triggered infinite loops

Low severity bugs

• Memory leaks
• Crashes as result of user action
• User-initiated infinite loops

No reward for leak of public information:

• File names, their sizes and modification times

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If you have any questions or concerns on this challenge, please contact [email protected].

Thank you for helping keep FileZilla and our users safe!