Re: config.php security problem
Posted: Thu Feb 18, 2010 1:03 pm
includes will also be readable in the browser unless they are placed somewhere above the webroot
I would say this is not a security issue, since you typically start with a blank config file, and it doesn't get populated with any information until you go through the install. Without PHP on your server, you can't go through the install, so there won't be any information in the config file.
If you're transferring an existing site from one server (with PHP) to another (without PHP), then you could see this issue. However, it would typically be discovered when you're in the process of moving the site, and would be fixed during that process.
Also, one of the CMSms system requirements is that the server have PHP installed. If you're installing on a server that doesn't meet the requirements (whether PHP is installed or not), you're likely to have any number of problems, security-related or not.
I would say this is not a security issue, since you typically start with a blank config file, and it doesn't get populated with any information until you go through the install. Without PHP on your server, you can't go through the install, so there won't be any information in the config file.
If you're transferring an existing site from one server (with PHP) to another (without PHP), then you could see this issue. However, it would typically be discovered when you're in the process of moving the site, and would be fixed during that process.
Also, one of the CMSms system requirements is that the server have PHP installed. If you're installing on a server that doesn't meet the requirements (whether PHP is installed or not), you're likely to have any number of problems, security-related or not.