Yup, in fact, probably all stats services able to publicaly broadcast the stats are “vulnerable”.

Yup, it is also true for the session ID. However, this one is the problem of the webdeveloper. It depends on how his system is builded and how he handle the sessions ID.

Salutations,

Fred

Even sitemeter has the same problem. It is not only limited to FTP username and password even session id which are passed in the url can be retrived if the stats are opened as public

Definitely. It could be a good fix. The problem I see is that people would not know what the feature is for, then would not use it. Another solution should be to trick the HTTP request’s header to hide the came from URL field (or something like that, I do not remember of the exact name of the field) of the HTTP request.

Salutations,

Fred

Another option would be for the AceFTP software to have a property like “Root URL” to specify where is the content of the FTP site available on the web. So if you ask for a preview of, let say “/home/mysite/public_html/index.html”, it knows that this is available online at “http://www.mysyte.com/index.html”. It would do the translation for you and use the HTTP protocol, instead of using the FTP protocol.

(This last sentence reads ok, but if you stop and think about it, the “P” of HTTP and FTP stands for “protocol” so it becomes pretty redundant!)

Alex