Password generator sends password to external service

[MichalKowalczyk]

Password generator linked in docs: tinyfilemanager.github.io/docs/pwd.html sends requests with our passwords in the URL parameters: https://tinyfilemanager.alwaysdata.net/pwd.php?callback=jQuery3215432994212342044_1733443351&pwd=my_secred_password&_=272329541252

This is a significant vulnerability.

Is it really necessary to send a password in the URL parameters to an external service? This practice poses a serious risk of a data leak.

[devnull4242]

Yes i think the problem is:

$.ajax({
    type: "GET",
    url: "http://tinyfilemanager.alwaysdata.net/pwd.php",
    data: 'pwd='+pwd,
    dataType: 'jsonp',
    cache: false,
    // ...
});

I think a problem is that bcrypt is not supported in client side JavaScript. I do not like the user authentication in Tiny File Manager. I always deactivate it and use Htaccess from my browser. Htaccess can also use bcrypt. But it also supports e.g. SHA-256. That is not so good but it can be generated with JavaScript.

Also you can generate bcrypt and SHA-256/512 with htpasswd on linux client side:

bcrypt client generator: htpasswd -B /path/to/.htpasswd username

crypt() client generator: htpasswd -d /path/to/.htpasswd username

Interesting: http://tinyfilemanager.alwaysdata.net is a demo version of Tiny File Manager. But i can not found pwd.php there i think because it is hide in Tiny File Manager configuration e.g. with $exclude_items.

To be honest, it must be said that information about the server used by the user is not known. None of this helps an attacker very much.

In the end, it may be a trade-off. For example, bcrypt is very secure and generation is otherwise difficult for many users. But you could at least point this out on the page mentioned.