This is almost too ridiculous to post, but there’s a point to it, I promise. There is a pretty funky issue that VMWare has on their site where they basically show the username and password to their drupal install. It’s just so sloppy I barely even want to mention it, except (again) there’s a point here that goes beyond VMWare’s configuration oversight.
Well if you look at the above picture you’ll notice something interesting in their featured partners. Something… not right:
Digging through the source we find the originating code:
Ouch… the server is either mis-configured to render .php extentions as PHP or the PHP include is not ended well. Oops. Now the drupal site password is disclosed. “Okay, boring problem, why are you even talking about it, RSnake?” Here’s why… one of my major problems with database driven web applications is that the password is almost always embedded within the code. At any point, if there is a breech in either the way the code is rendered or if there is something where the server gives up information about the source of the page, the site can be compromised. There’s one saving grace here - the fact it’s an internal database (localhost). But my point remains. Keep your passwords out of the web accessable directory whenever possible.