MySQL user/pass Visible
Brought to you by:
cknudsen
Menu
▾
▴
#218 MySQL user/pass Visible
config.inc file is viewable from Internet.
I'm sure this has already been duly noted, but just in
case...
Unless the web server is configured to specifically
handle .inc files or the ./includes directory, anyone
can view the database configuration settings, including
the user/passwd.
For example, I can easily view the WebCalendar demo
database's host/user/passwd from my web browser.
This could be easily corrected by changing *.inc to
*.php, which would tell the web server to parse the
file as a PHP file, and basically return a whole bunch
of nothing to the end user.
Another option would be to tell the web server to treat
.inc files as PHP files, but this might cause problems
for other web applications.
Logged In: YES
user_id=14386
This bug has been fixed.
The fix will be included in the next public release.