Excluded files and folders can still be accessed and downloaded

[ner00]

If a user replaces the folder or filename using the browser's element inspector, he can still access or download it. One of the most immediate and easy exploits would be the possibility of downloading the tinymanager PHP script itself containing the password hashes.

[ner00]

This is still a security issue.