Closed
Description
I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.
Config filename is hardcoded at lg.cgi:299. As such, IPs and credentials are stored in a plain file named lg.conf under the same web directory, and the software README doesn't suggest any additional protection.
In order to avoid exposing credentials through the web, it would be better to move this file outside of the web root, or suggesting proper ACL for webserver configuration.
cc @emdel for credits