config.php security problem

[jmcgin51]

includes will also be readable in the browser unless they are placed somewhere above the webroot

I would say this is not a security issue, since you typically start with a blank config file, and it doesn't get populated with any information until you go through the install.  Without PHP on your server, you can't go through the install, so there won't be any information in the config file.

If you're transferring an existing site from one server (with PHP) to another (without PHP), then you could see this issue.  However, it would typically be discovered when you're in the process of moving the site, and would be fixed during that process.

Also, one of the CMSms system requirements is that the server have PHP installed.  If you're installing on a server that doesn't meet the requirements (whether PHP is installed or not), you're likely to have any number of problems, security-related or not.

[Wishbone]

I think his concern was that everything would be displayed if PHP went down on the host for some reason.

[andershz]

http://wiki.cmsmadesimple.org/index.php/User_Handbook/Installation/Optional_Settings

URL Filtering Using .htaccess

[fredp]

You may also consider turning off directory listings via .htaccess.
E.g.,
        Options -Indexes

...and deny access to config.php.   

This "HowTo" contains some examples that you might find helpful:
http://wiki.cmsmadesimple.org/index.php/How_to#How_to_Secure_CMSMS_system_-_Small_Guide