#8 Source code + config exploit

[Mick Weiss]

If Mug2 is setup out of the box, all files that are not
recognized by Apache (files with no extention and .inc
files)
are viewable over the web.

The extention should be re-named to .inc.php or
something like that (and all the links need to be
updated accordingly). Or a disclaimer stating (Apache
needs to be changed yada yada). And the config file
needs to be automatically removed when the script finishes.

Examples of this exploit would be:

http://www.someusergroup.org/mug/install/config
http://www.someusergroup.org/mug/inc/admin/functions/

also a code block that starts with pseudo code ->
if_admin() { ... } might be needed in the inc files.

I will get to fixing this.

- Mick