[ProgSoc] Why you shouldn't pus config info in a .ini file (for a web app)
wyvern2 at tengutech.net
Fri Aug 19 20:51:28 EST 2011
What is the correct procedure for reporting to an Open Source project
a security flaw that you can drive a truck through?
I found a set of PHP scripts where the config file ends in '.ini'.
The point being that you can read the config file directly if there
is no .htaccess file blocking.
And considering there is no documentation telling you to do so, i
don't expect anybody will have.
Which mean that anyone can read your database username/password and
another configuration details.
(Yes I checked, it works like that on my server.)
And I thought it looked promising so far.
More information about the Progsoc