Closed (fixed)
Project:
Drupal vB
Version:
4.7.x-1.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
2 Jul 2006 at 21:24 UTC
Updated:
1 Jan 2007 at 15:45 UTC
hi, I've just installed that module and founded a require_once('drupalvb.inc').
that line should be edited with require_once('drupalvb.inc.php') and file must be renamed in .inc.php to avoid mysql account of vB installation to be stolen.
by .htaccess config .inc files are forbidden, but for people not using it still a security hole.
Comments
Comment #1
rszrama commentedI'll go ahead and do this unless anyone has a good reason for me not to do so. (I mean... .module files aren't PHP files either, so I'm not sure this is necessary.)
Comment #2
rszrama commentedComment #3
gregglesif any sensitive information (e.g. username/password, license keys) is stored in a file on the server then the file needs to be a .php file. Note how the default/settings.php file (which contains secure information) is a .php file instead of a .inc
I'm changing this to "active" because in my review the vBulletin license is stored in plain text in the .inc file, so I believe this is an issue that should be addressed.
I would provide a patch for this, but it's mostly a matter of changing one line and renaming a file in CVS, so it's hardly worth the patch.
Comment #4
rszrama commentedThanks for the explanation, greggles. I'll go ahead and change this and post later today or tomorrow.
Comment #5
rszrama commentedFixed.
Comment #6
(not verified) commented