2013-04-10, 02:11:40
minor issue, found doing a security review. direct access to files with config, backups must be disallowed. So GS can keep config inside .php files starting with a <?php die(); ?> or denying via config direct access (.xml files) but this config still miss quite a few files that must be directly denied direct access via .htaccess:
/data/other/logs/errorlog.txt is one of these, and even actual official get-simple.info fails to protect that file (not a problem to disclosure that info, it contains old not important data).
Than double standard inside /backups/ where some files get a 'safe' extension (/backups/pages/pagename.bak.xml) but other files not, so you have to deny via config or .htaccess /backups/other/website.xml.bak and components.xml.bak
I suggest to change those backup files from .xml.bak to .bak.xml in order to have an additional safety layer.
/data/other/logs/errorlog.txt is one of these, and even actual official get-simple.info fails to protect that file (not a problem to disclosure that info, it contains old not important data).
Than double standard inside /backups/ where some files get a 'safe' extension (/backups/pages/pagename.bak.xml) but other files not, so you have to deny via config or .htaccess /backups/other/website.xml.bak and components.xml.bak
I suggest to change those backup files from .xml.bak to .bak.xml in order to have an additional safety layer.