“Stable File Manager”, if I am not mistaken, stores a password in plain text. That’s clearly not a good idea, somebody who manages to compromise the 000webhost so that he can see the PHP codes can, if I use Stable File Manager, also modify my website.
I am not sure what would be a secure solution, though. Here is how I attempted to securely store my password on my website:
<?php
$json=$_POST["password"];
if (!file_exists("key.txt"))
exit("Cryptographic key appears not to have been generated before this program was executed. Something went very wrong.");
$file=fopen("key.txt","r");
$key=fscanf($file,"%d")[0];
$key0=$key%256;
$key1=$key/256;
fclose($file);
unlink("key.txt");
$password="";
$json=json_decode($json);
for ($i=0; $i<count($json); $i++)
$password=$password.chr($json[$i]^(($i%2)?($key0):($key1)));
$typable=1;
for ($i=0; $i<strlen($password); $i++)
if (!(substr($password,$i)>="0" && substr($password,$i)<="9"
|| substr($password,$i)>='a' && substr($password,$i)<='z'
|| substr($password,$i)>='A' && substr($password,$i)<='Z'
|| substr($password,$i)==' '))
$typable=0;
$hash=0;
for ($i=0; $i<strlen($password); $i++)
$hash=($hash*127+ord(substr($password,$i)))%9907;
if ($hash!=5834 || !$typable)
exit("Incorrect password! Hint: The correct password is a short description of Digital Physics.");
$count=0;
for ($i=0; $i<100; $i++)
if (file_exists("download".$i.".asm"))
$count+=unlink("download".$i.".asm");
echo "$count files deleted!";
?>
And here is the JavaScript I used, copied from http://flatassembler.000webhostapp.com/compiler.html (with Croatian comments removed):
function resetBackEnd()
{
sessionID=Math.floor(Math.random()*100);
if (!window.XMLHttpRequest)
{
alerted=1;
alert("Emitter error: Your browser doesn't appear to support the JavaScript 'XMLHttpRequest' object. Connecting to the server using the ActiveX controls is not secure.");
return;
}
var password=prompt("Enter password (known by Teo Samarzija):");
document.getElementById("AJAXmessage").style.display="inline";
var xmlHTTP=new XMLHttpRequest();
xmlHTTP.password=password;
xmlHTTP.open("POST", "oneTimeKey.php", true);
xmlHTTP.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlHTTP.send("sessionId="+sessionID);
xmlHTTP.onreadystatechange=function()
{
if (this.readyState==4) {
var oneTimeKey=this.responseText*1-sessionID-sessionID*256;
var json="[";
var password=this.password;
for (var i=0; i<password.length; i++)
json+=(password.charCodeAt(i)^((i%2)?(oneTimeKey%256):(oneTimeKey/256)))+((i<password.length-1)?(","):("]"));
var xmlHttp=new XMLHttpRequest();
xmlHTTP.open("POST", "deleteDownloads.php", true);
xmlHTTP.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlHTTP.send("password="+json+"&sessionId="+sessionID);
xmlHTTP.onreadystatechange=function(){
if (this.readyState==4)
alert("Emitter message: The server apparently responded with \""+this.responseText+((this.status-200)?(" (Error "+this.status+")"):"")+"\".");
document.getElementById("AJAXmessage").style.display="none";
}
}
}
}
I believe that’s far more secure than what “Stable File Manager” is currently doing. Do you think I am wrong?