zer0h
zer0h
Hi, I originally reported the issue. The issue mentioned in my report was about an IDOR where a potential attacker could download encrypted files and crack them offline. I think...
I will do it later thank you. But I'm thinking of another solution, way simpler : simply adding authentication when accessing the encrypted json file as it's already done for...
> hmm no http://localhost:3000/2507a65aac91 does not require a password - it renders the download-app, fetches the json and require the user to enter the password to decrypt the json My...
I think it's definitely possible to use the old mechanism (where the client fetch the .json file) and still use client side decryption, but the user woule receive the AES...
I may be totally wrong but the original issue I saw, was that if some one use your project on a publicy available webserver. Then any attacker could download AES...
Hi @prasathmani, two other vulnerabilities were found in your repo, please check : - https://huntr.dev/bounties/4-other-prasathmani/tinyfilemanager/ - https://huntr.dev/bounties/5-other-prasathmani/tinyfilemanager/ Best regards,
Thank you so much @psmoros ❤