CVE-2014-3928: Unsafe configuration file path/ACL #4
I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.
Config filename is hardcoded at
In order to avoid exposing credentials through the web, it would be better to move this file outside of the web root, or suggesting proper ACL for webserver configuration.
cc @emdel for credits
referenced this issue
Jun 2, 2014
This is a cumulative thanks for all the fixes.