zer0h

Hi, I originally reported the issue. The issue mentioned in my report was about an IDOR where a potential attacker could download encrypted files and crack them offline. I think...

I will do it later thank you. But I'm thinking of another solution, way simpler : simply adding authentication when accessing the encrypted json file as it's already done for...

> hmm no http://localhost:3000/2507a65aac91 does not require a password - it renders the download-app, fetches the json and require the user to enter the password to decrypt the json My...

I think it's definitely possible to use the old mechanism (where the client fetch the .json file) and still use client side decryption, but the user woule receive the AES...

I may be totally wrong but the original issue I saw, was that if some one use your project on a publicy available webserver. Then any attacker could download AES...

Hi @prasathmani, two other vulnerabilities were found in your repo, please check : - https://huntr.dev/bounties/4-other-prasathmani/tinyfilemanager/ - https://huntr.dev/bounties/5-other-prasathmani/tinyfilemanager/ Best regards,

Thank you so much @psmoros ❤