What happened to WebFTP


#1

I’ve been using WebFTP to delete big folders on my site because it seems to be faster that using an outside FTP client.
In addition, I appreciated the ability to zip up and save files from on line to my home machine
But suddenly… that link is no longer available on the Manage Domains screen.
Now the links are just:
DNS | Visit | FTP | Add IP

Did it get moved? or is it no longer available. (which would be sad)

What’s the story?


#2

Hmm you are correct it seems. The FTP link just lets you use your browser’s capability. I hardly ever used the webftp thing. For deleting or moving many files ssh is much better. Its just a matter of learning command line. You would be able to do all the stuff you use to do via ssh (once you learn the commands). Google is your friend. I would enable ssh for your user if you have not already.


#3

I visited my long lost friend, the status blog:
http://www.dreamhoststatus.com/2011/10/04/webftp-temporarily-disabled/


#4

personally I’m glad it has been shut down. I realise the convenience, etc, etc, but it’s a security flaw, IMHO, when every domain is automatically set up with a backdoor to the files (webFTP) and database (phpMyAdmin) whether the user asks for it or not. phpMyAdmin is worse because it’s not going to use SSL unless your site does. At least webFTP went over DH’s SSL connection. I had support disable access to both of these on all of my sites because they represent just one more thing that can go wrong. I trust DH to take care of server security, but less is more. Let them focus on Apache, PHP, etc. rather than expanding to extra interfaces to our data that are automatically enabled. That’s the part that gets me. If people want to use phpMyAdmin and send their passwords in the clear, which I did until I understood what was really going on, then fine. But let people enable these things individually with a warning.


#5

For what it’s worth, WebFTP wasn’t exactly a “back door” to the files — it was literally just an FTP client written in PHP, and as such required that you enter the FTP username and password to log in, just like phpMyAdmin.

That being said, the software we were using (Net2FTP) turned out to have some significant security issues which haven’t been addressed by the authors. We’re currently looking for replacements, but it’s not clear that any good ones exist. We’ll let you know once we have something figured out.


#6

That’s true. I can’t edit my previous post, but I should have said ‘potential’ back door. Both webFTP and phpMyAdmin are just clients, but if some security flaw is found where it leaks data or somehow connects to unauthorised accounts or something… I’d rather not have the automatic risk added to each one of my domains unless I specifically add it because I want the increased convenience. I’ve been spooked by all the reports of sites being hacked and our good friends at lulzsec, so I’ve tried to decrease the number of possible entry points. I’m working on improving containment now…