Introduction

This project has been sponsored by the European Commission as part of the EU-Free and Open Source Software Auditing (EU-FOSSA) project designed to improve the security of free software. This program will be open for submissions for 8 weeks, though rewards may be processed beyond the 8 week period in order to allow for full evaluation of the impact of valid vulnerability reports.

Note: This program has now been extended for a further two months to 21 July 2019.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.
• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Please provide detailed reports with reproducible steps demonstrating a plausible exploitation scenario. * If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• The project maintainers have final decision on which issues constitute security vulnerabilities. We will respect their decision, and we ask that you do as well.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of euf_demo staff or contractors
• Any physical attempts against euf_demo property or data centers

Scope

The bug bounty program will test only the fully free open source version of FileZilla as found on https://filezilla-project.org/download.php?type=client&show_all=1 and the source code repository described on https://filezilla-project.org/sourcecode.php which includes the libfilezilla library. Other versions of the program are not in the scope of this testing.

Out of Scope

• Exploits which rely on the assumption that the attacker already has access to the victims system.

The following components are also explicitly not in the scope:

• The src/storj sub-directory of FileZilla and the libstorj dependency
• The src/putty sub-directory of FileZilla contains a modified code from PuTTY. Issues inherited from PuTTY are not in scope. Note: Issues in the modifications specific to FileZilla still are in scope.

POC

Vulnerabilities are to be evaluated given contemporary computer architectures.

The PoC must work on the respective repository trunk heads or the latest released version. Older builds are explicitly out of scope.

FileZilla technical overview

Building FileZilla

FileZilla uses the GNU autotools as build system.

It, as well as almost all its dependencies, can be built using the familiar configure && make && make install trinity.

The following two guides have reently been updated and can be used to build FileZilla:

• Debian and derived: https://wiki.filezilla-project.org/Compiling_FileZilla_3_and_Getting_Dependencies_on_Linux
• Windows: https://wiki.filezilla-project.org/Cross_Compiling_FileZilla_3_for_Windows_under_Ubuntu_or_Debian_GNU/Linux

Dependencies

FileZilla directly depends on the following libraries:

• libfilezilla: base library for many things such as file i/o, string utilities and the main event system
• wxWidgets: GUI framework
• GnuTLS: TLS
• Nettle: Various cryptographic functions used e.g. for the master password functionality
• pugixml: DOM-style XML parser. XML is used to store settings
• SQlite: SQL database, used to persist the transfer queue

Architecture

FileZilla is organized in different components. The most important components are, identified by subdirectory:

• src/engine: The protocol implementations
• src/engine/ftp: FTP specific functionality
• src/engine/sftp: SFTP specific functionality, wraps around fzsftp
• src/engine/http: Everything specific to HTTP specific functionalit
• src/interface: The user interface and controlling logic such as the transfer queue
• src/putty: Source for fzsftp, a heavily modified version of PuTTY's psftp
• src/fzshellext: The Windows shell extension to facilitate Drag&drop from Explorer into FileZilla.

Interesting places

FileZilla:

• src/engine/directorylistingparser.cpp: The directory listing parser in
• CTlsSocketImpl::VerifyCertificate in src/engine/tlssocket_impl.cpp: Certificate verification
• src/interface/updater.cpp: The update mechanism
• src/engine/http/request.cpp: The HTTP state machine capable of request pipelining

libfilezilla

• lib/encryption.cpp: The asymmetric encryption scheme used for the master password functionality

Rewards

A bonus structure is in place from the 14th of June - 14th of July 2019

Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.

Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.

Critical severity bugs - €5000 €7500

• Remote Code Execution

High severity bugs - €2500 €3250

• Code Execution without user intervention

Medium severity bugs - €1000 €1300

• Code Execution with user intervention
• High-impact Crashes
• Infinite loops

Low severity bugs - €250 €325

• Information leaks
• Crashes
• OOM

Bonus

There is a 20% bonus for including a fix in the report when accepted by the maintainers.

Note: The 20% bonus is calculated off the new bonus structure.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If you have any questions or concerns on this challenge, please contact [email protected].

Thank you for helping keep FileZilla and our users safe!