Always, ALWAYS include an .htaccess file blocking the access to your conn.cfg file.

Sharing your API key with the world can be quite disastrous.

I'd reccomend just blocking the access to everyone (including authenticated users).

The .htaccess should be something like:

Code: :

[Files conn.cfg]    order allow,deny    deny from all  [/Files]

Replace [ and ] with the correct html-like less-than/greater than signs (the forum doesn't let me type the character

.htaccess to the best of my knowledge only works with apache webservers, try to find a similar thing if you're on something else

An easier way is to just rename the conn.cfg to conn.php.


You will have to modify the appropriate part in the iSDK, but the content will now be invisible, so to say.

Not to beat a dead horse but today, working on a client's site, I once again found an unprotected conn.cfg.

Since this was a fairly well known Wordpress Infusion plugin, it also means that the people who use this plugin all have their unprotected conn.cfg files in the same standard location. All that is needed is a browser and the API key is revealed.

The amount of damage that can result should be clear. It is imperative that if you must use this file with this specific name, that it at the very least be protected with .htaccess. Short of that, one is potentially opening their entire database to the public.

Best,
Bob

Existing WP Plugin users can patch their installation this way. I'll also email you guys on it.

http://infusionsoft-wordpress.com/patch_20090925.php

For future applications we are editing the conn.cfg to conn.php as Bob suggests and will edit the sdk appropriately.

Thanks again Bob!

To the iSDK Team:

Please, please, please... change this as soon as possible and let everyone know.

This is potentially a major security issue for everyone. Don't let new users find out the hard way.

I second that motion. It's embarrassing to me as a developer that I didn't see this myself.

It's no excuse for me but please change this asap in the iSDK that new people are still downloading.

In addition to changing the file extension on the config file to make it unreadable, it's also a good security measure to specify the IP addresses that are allowed to connect with the application. (Just remember to change those settings if your server's IP address changes or you add scripts on a different server).