oss-security-list@demlak.de reports:
An unauthenticated remote attacker is able to get the database
password via webaccess due to wrong file permissions of the /logs/
folder in froxlor version 0.9.33.1 and earlier. The plain SQL
password and username may be stored in the /logs/sql-error.log file.
This directory is publicly reachable under the default
configuration/setup.
Note that froxlor 0.9.33.2 prevents future logging of passwords but
does not retroactively remove passwords already logged. Michael
Kaufmann, the Froxlor lead developer reports:
Removing all .log files from the directory should do the job,
alternatively just use the class.ConfigIO.php from Github