On Wed, 1 Oct 2003, Rob Whyte wrote:
> I noticed today that included in the status.cgi page is the xml
> configuration file (config.xml) which shows the passwords for login and pptp
> clients in PLAIN TEXT. There is no password required to get to this page,
> and is viewable by anyone inside the firewall.
Ouch - looks like an undocumented "feature" in mini_httpd (compared to
thttpd which did allow .htpasswd to traverse directories). A fixed image
(pb16r501) has been released and pb16r500 has been removed.
EVERBODY WHO RUNS pb16r500 IS STRONGLY URGED TO UPGRADE IMMEDIATELY!!