This is not a vulnerability. "User may access a file publicly posted without giving that server the *user's* password hash" is not worse than the alternative. It's better than the alternative

By this logic visiting any website or viewing email are also bugs and should be blocked

Sign in to participate in the conversation
Scriptjunkie Social

scriptjunkie's server