hi, I've just installed that module and founded a require_once('drupalvb.inc').

that line should be edited with require_once('drupalvb.inc.php') and file must be renamed in .inc.php to avoid mysql account of vB installation to be stolen.

by .htaccess config .inc files are forbidden, but for people not using it still a security hole.

Comments

rszrama’s picture

Status: Active » Needs review

I'll go ahead and do this unless anyone has a good reason for me not to do so. (I mean... .module files aren't PHP files either, so I'm not sure this is necessary.)

rszrama’s picture

Status: Needs review » Postponed
greggles’s picture

Status: Postponed » Active

if any sensitive information (e.g. username/password, license keys) is stored in a file on the server then the file needs to be a .php file. Note how the default/settings.php file (which contains secure information) is a .php file instead of a .inc

I'm changing this to "active" because in my review the vBulletin license is stored in plain text in the .inc file, so I believe this is an issue that should be addressed.

I would provide a patch for this, but it's mostly a matter of changing one line and renaming a file in CVS, so it's hardly worth the patch.

rszrama’s picture

Assigned: Unassigned » rszrama

Thanks for the explanation, greggles. I'll go ahead and change this and post later today or tomorrow.

rszrama’s picture

Status: Active » Fixed

Fixed.

Anonymous’s picture

Status: Fixed » Closed (fixed)