Fri, 28th December 2012
Horrible review (by intention?)
Yes, the software keeps data in *.cgi files to ensure that nobody can access the files by accessing them via browser, even if a customer does not follow setup wizard recommendations and places data files under web root directory. Try to open such file, and all you get is internal server error.
"Server side configs can have data injected" - it would be a severe vulnerability... if it existed. And even worse: assuming that the vulnerability exists, posting hints instead of contacting developer of the open source software does not seem to be professional to begin with...
Anyone can "hack" domain name by editing local hosts file? Sure. But the config file will be "re-hacked" back instantly, by anyone "not smart enough to edit local hosts file". So, what is the point? Sending an email with wrong link? But why not just send legitimate-looking email from your account? Less work and guaranteed result.
"the list goes on forever" - why not use our help desk or web forum to submit the list? We all know that there is no such thing as vulnerability-free software. For non-believers I suggest subscribing to CVE or just to RedHat/Ubuntu security notifications. All those lists are result of work of true professionals, the guys who want to make Internet more secure place by reporting bugs and vulnerabilities to authors.