#1 Huge config.ini vulnerability

[Jaap-Willem Dooge]

Hello,

I found a huge security hole.

When you have put the passwords in config.ini, someone can simply browse to http://webpage.tld/cssadmin/config.ini and read all passwords.

You better use a .php file like this:

File: config.inc.php
<?php
$rcon = "serverpassword";
$css_admin = "adminpassword";
$css_moderator = "moderatorpassword";
?>

and include it on top of the scripts using:
include("config.inc.php");

This is MUCH safer, and yes, i know you can change the config.ini's rights to make it inaccesible, but someone who wants to play games and has the server and admin pages as a NEEDED thing and is not an webserver enthousiast doesn't know that.

Besides, all files are in unix-encoding, so editing them on a windows machine in, for instance, notepad, is'nt working fine. Same as what i said before, someone not doing this everyday does'nt use nice editors like Programmers Notepad.

Good luck!