Those of you that are familiar with Squirrelmail know that it uses a script to perform general checking “to make sure everything works like it should” <– quote from the INSTALL readme file.
While I can agree this is actually useful as it can detect errors such as wrong permissions or plugin compatibility issues, I don’t understand why the sysadmins leave the script on the web server after the installation, accessible to everyone. The script generates output which can reveal sensitive information about the server, especially when verbose logging is enabled.
I wouldn’t expect everyone to be extremely cautious when it comes to server security and certainly not everyone is knowledgeable enough to realize the importance of protecting the web folders and online content, but I was surprised to see websites such as linuxcbt.com ignoring it.
For those who don’t know, they offer Linux training solutions and they say they’re the best in business.