[GH-ISSUE #991] Excluded files and folders can still be accessed and downloaded #638

New issue

Open

opened 2026-03-02 16:00:27 +03:00 by kerem · 1 comment

kerem commented

2026-03-02 16:00:27 +03:00

Owner

Originally created by @ner00 on GitHub (Mar 19, 2023).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/991

If a user replaces the folder or filename using the browser's element inspector, he can still access or download it. One of the most immediate and easy exploits would be the possibility of downloading the tinymanager PHP script itself containing the password hashes.

Originally created by @ner00 on GitHub (Mar 19, 2023). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/991 If a user replaces the folder or filename using the browser's element inspector, he can still access or download it. One of the most immediate and easy exploits would be the possibility of downloading the tinymanager PHP script itself containing the password hashes.

kerem commented

2026-03-02 16:00:28 +03:00

Author

Owner

@ner00 commented on GitHub (Jun 11, 2023):

This is still a security issue.

@ner00 commented on GitHub (Jun 11, 2023): This is still a security issue.