[GH-ISSUE #1225] Password generator sends password to external service #787

New issue

Open

opened 2026-03-02 16:01:26 +03:00 by kerem · 1 comment

kerem commented

2026-03-02 16:01:26 +03:00

Owner

Originally created by @MichalKowalczyk on GitHub (Aug 26, 2024).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1225

Password generator linked in docs: tinyfilemanager.github.io/docs/pwd.html sends requests with our passwords in the URL parameters:
https://tinyfilemanager.alwaysdata.net/pwd.php?callback=jQuery3215432994212342044_1733443351&pwd=my_secred_password&_=272329541252

This is a significant vulnerability.

Is it really necessary to send a password in the URL parameters to an external service? This practice poses a serious risk of a data leak.

Originally created by @MichalKowalczyk on GitHub (Aug 26, 2024). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1225 Password generator linked in docs: [tinyfilemanager.github.io/docs/pwd.html](https://tinyfilemanager.github.io/docs/pwd.html) sends requests with our passwords in the URL parameters: https://tinyfilemanager.alwaysdata.net/pwd.php?callback=jQuery3215432994212342044_1733443351&pwd=my_secred_password&_=272329541252 This is a significant vulnerability. Is it really necessary to send a password in the URL parameters to an external service? This practice poses a serious risk of a data leak.

kerem commented

2026-03-02 16:01:26 +03:00

Author

Owner

@devnull4242 commented on GitHub (Aug 30, 2024):

Yes i think the problem is:

$.ajax({
    type: "GET",
    url: "http://tinyfilemanager.alwaysdata.net/pwd.php",
    data: 'pwd='+pwd,
    dataType: 'jsonp',
    cache: false,
    // ...
});

I think a problem is that bcrypt is not supported in client side JavaScript. I do not like the user authentication in Tiny File Manager. I always deactivate it and use Htaccess from my browser. Htaccess can also use bcrypt. But it also supports e.g. SHA-256. That is not so good but it can be generated with JavaScript.

Also you can generate bcrypt and SHA-256/512 with htpasswd on linux client side:

bcrypt client generator:
htpasswd -B /path/to/.htpasswd username

crypt() client generator:
htpasswd -d /path/to/.htpasswd username

Interesting: http://tinyfilemanager.alwaysdata.net is a demo version of Tiny File Manager. But i can not found pwd.php there i think because it is hide in Tiny File Manager configuration e.g. with $exclude_items.

To be honest, it must be said that information about the server used by the user is not known. None of this helps an attacker very much.

In the end, it may be a trade-off. For example, bcrypt is very secure and generation is otherwise difficult for many users. But you could at least point this out on the page mentioned.

@devnull4242 commented on GitHub (Aug 30, 2024): Yes i think the problem is: ``` $.ajax({ type: "GET", url: "http://tinyfilemanager.alwaysdata.net/pwd.php", data: 'pwd='+pwd, dataType: 'jsonp', cache: false, // ... }); ``` I think a problem is that **bcrypt** is not supported in client side JavaScript. I do not like the user authentication in Tiny File Manager. I always deactivate it and use Htaccess from my browser. Htaccess can also use bcrypt. But it also supports e.g. SHA-256. That is not so good but it can be generated with JavaScript. Also you can generate bcrypt and SHA-256/512 with **htpasswd** on linux client side: bcrypt client generator: `htpasswd -B /path/to/.htpasswd username` crypt() client generator: `htpasswd -d /path/to/.htpasswd username` Interesting: http://tinyfilemanager.alwaysdata.net is a demo version of Tiny File Manager. But i can not found `pwd.php` there i think because it is hide in Tiny File Manager configuration e.g. with $exclude_items. To be honest, it must be said that information about the server used by the user is not known. None of this helps an attacker very much. In the end, it may be a trade-off. For example, bcrypt is very secure and generation is otherwise difficult for many users. But you could at least point this out on the page mentioned.