Security issue: vBSEO 3.5 and other web servers

I saw that vBSEO 3.5 is saving all config to .XML files which are protected with .htaccess files with the directive deny from all.

But .htaccess only works with some web servers like Apache, other web servers like nginx, lighttpd, cherokee, IIS don't read .htaccess files so anybody can read the config file of vBSEO and check all of options that we use and also get the password hash since it's stored in that file.

Code:

<setting>
<name>VBSEO_ADMIN_PASSWORD</name>
<value>XXXXXXXXXXXXXXXXXX</value>
</setting>

Also there are similar problem with vBSEO Sitemap in data folder, but it isn't too important like this because it only stores log files.

It encoded as a md5 hash; so unless you use a dictionary word as your password I would guess it is no more insecure than logging in without using https:// (if it is a dictionary word then you will probably be bruteforce hacked eventually anyway).

We ship with htaccess files as 95% or more of our customers are on apache set ups. If you're using an alternative system, you should protect the directories with your webserver's method.