[原文]PHP Advanced Transfer Manager 1.00 through 1.30 stores sensitive information, including password hashes, under the web root with insufficient access control, which allows remote attackers to download each password hash via a direct request for a users/[USERNAME] file.
PHP Advanced Transfer Manager (phpATM) /users/ Direct Request Password Hash Disclosure
Remote / Network Access
Loss of Confidentiality
PHP Advanced Transfer Manager contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker directly requests a user file (/users/[name]), which will disclose the encrypted password hash for that user resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.