Security flaw

I think I discovered a small security flaw. When changing the password, a logout is not performed on all the devices of the file manager

My website URL is: hard-questions.com

What I’m seeing is:

I’m using this software:

Additional information:

In which software?

1 Like

The file manager doesn’t manage the password, it just stores your FTP password in your session. If you change the FTP password through the client area, or the FTP credentials stop working for some other reason, the file manager will not be able to do anything anymore.

It’s not exactly the same as a clean logout. But the previous FTP credentials will stop working, so anyone who is already logged in won’t be able to use the file manager anymore, so I don’t think there is any notable security risk.

And note that the password change can take a few minutes to go through all systems. So the file manager might not kick you out the moment you hit the button.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.