Is "Stable File Manager" Safe?

Community support
#1

“Stable File Manager”, if I am not mistaken, stores a password in plain text. That’s clearly not a good idea, somebody who manages to compromise the 000webhost so that he can see the PHP codes can, if I use Stable File Manager, also modify my website.
I am not sure what would be a secure solution, though. Here is how I attempted to securely store my password on my website:

    <?php
$json=$_POST["password"];
if (!file_exists("key.txt"))
	exit("Cryptographic key appears not to have been generated before this program was executed. Something went very wrong.");
$file=fopen("key.txt","r");
$key=fscanf($file,"%d")[0];
$key0=$key%256;
$key1=$key/256;
fclose($file);
unlink("key.txt");
$password="";
$json=json_decode($json);
for ($i=0; $i<count($json); $i++)
    $password=$password.chr($json[$i]^(($i%2)?($key0):($key1)));
$typable=1;
for ($i=0; $i<strlen($password); $i++)
    if (!(substr($password,$i)>="0" && substr($password,$i)<="9"
          || substr($password,$i)>='a' && substr($password,$i)<='z'
          || substr($password,$i)>='A' && substr($password,$i)<='Z'
          || substr($password,$i)==' '))
    $typable=0;
$hash=0;
for ($i=0; $i<strlen($password); $i++)
    $hash=($hash*127+ord(substr($password,$i)))%9907;
if ($hash!=5834 || !$typable)
    exit("Incorrect password! Hint: The correct password is a short description of Digital Physics.");
$count=0;
for ($i=0; $i<100; $i++)
    if (file_exists("download".$i.".asm"))
        $count+=unlink("download".$i.".asm");
echo "$count files deleted!";
?>

And here is the JavaScript I used, copied from http://flatassembler.000webhostapp.com/compiler.html (with Croatian comments removed):

function resetBackEnd()
        {
            sessionID=Math.floor(Math.random()*100);
            if (!window.XMLHttpRequest)
            {
                alerted=1;
                alert("Emitter error: Your browser doesn't appear to support the JavaScript 'XMLHttpRequest' object. Connecting to the server using the ActiveX controls is not secure.");
                return;
            }
            var password=prompt("Enter password (known by Teo Samarzija):");
            document.getElementById("AJAXmessage").style.display="inline";
            var xmlHTTP=new XMLHttpRequest();
            xmlHTTP.password=password;
            xmlHTTP.open("POST", "oneTimeKey.php", true);
            xmlHTTP.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
            xmlHTTP.send("sessionId="+sessionID);
            xmlHTTP.onreadystatechange=function()
            {
                if (this.readyState==4) {
                    var oneTimeKey=this.responseText*1-sessionID-sessionID*256;
                    var json="[";
                    var password=this.password;
                    for (var i=0; i<password.length; i++)
                        json+=(password.charCodeAt(i)^((i%2)?(oneTimeKey%256):(oneTimeKey/256)))+((i<password.length-1)?(","):("]"));
                    var xmlHttp=new XMLHttpRequest();
                    xmlHTTP.open("POST", "deleteDownloads.php", true);
                    xmlHTTP.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
                    xmlHTTP.send("password="+json+"&sessionId="+sessionID);
                    xmlHTTP.onreadystatechange=function(){
                        if (this.readyState==4)
                            alert("Emitter message: The server apparently responded with \""+this.responseText+((this.status-200)?(" (Error "+this.status+")"):"")+"\".");
                        document.getElementById("AJAXmessage").style.display="none";
                    }
                }
            }
        }

I believe that’s far more secure than what “Stable File Manager” is currently doing. Do you think I am wrong?

#2

@ckhawand could advise, if they’ve gained access to your files to be able to read the contents of PHP ones then seeing plaintext would be the least of your worries?
I recommend using a completely random username and password as well as making the filemanager.php file completely random along with the directory and even then you could .htaccess protect it.

Like I said if they’ve managed to see the plain text inside a PHP file they’ve likely got access to your account anyway so they wouldn’t need the file manager details which should be uniquely generated just for this file anyway if you share passwords with other things that is the user’s own issue…?

#3

As @Infinity mentioned, we recommend using random usernames and passwords.

#4

@Teo123 make sure you enter the cPanel of 000webhost once every three months, currently your account is showing no logins since April which is pushing it into the inactive category.