[ProgSoc] Why you shouldn't pus config info in a .ini file (for a web app)

Leefe Hicks wyvern2 at tengutech.net
Fri Aug 19 20:51:28 EST 2011


Hi,

What is the correct procedure for reporting to an Open Source project 
a security flaw that you can drive a truck through?

I found a set of PHP scripts where the config file ends in '.ini'. 
The point being that you can read the config file directly if there 
is no .htaccess file blocking.

And considering there is no documentation telling you to do so, i 
don't expect anybody will have.

Which mean that anyone can read your database username/password and 
another configuration details.

(Yes I checked, it works like that on my server.)

And I thought it looked promising so far.
:(

Leefe.

-- 
Leefe Hicks
http://www.tengutech.net/wyvern/



More information about the Progsoc mailing list