Peter Somogyi wrote: > > Sorry, could you point there please? (I've already spent 4 hours for google > and grep on trunk, asked expert people here but couldn't find anything.) > Do you mean the hole is in the auth way (we can use mod_auth_pam instead), or > in using fs ACLs instead of .htaccess?
Twofold; if there was a code execution vulnerability somewhere within the in-process server stack, including scripting languages or running untrusted code, those files a visible to nobody. Essentially you are sharing the p/w list with everyone on the machine to crack the hashed passwords or search for their match. Secondly, unless ssl/tls is in use, the p/w's can be sniffed over the wire. If these are also your ssh login accounts... well, you can figure out the rest.
