It isn't a problem unless you have users with shell access that can navigate to the file. The file won't show any text if called from a browser.

Several things you can do to add more protection.
. Change the ownership of the file or rights so that only the web server user can read the file.
. Encode the file with a PHP encoder. It can then only be read by PHP that has the same decoder.
. Disallow access to mainfile.php in Apache:

Order allow,deny
Deny from all


Even if you don't do these steps and only do what the Install suggests you shouldn't have a problem. I go a few steps further. And yes I've had a few attempts to call mainfile.php. Instead of a blank screen that would normally be given they got a 403 forbidden error.

The XOOPS Core Team probably knows of this already, but just in case they don't, here's a security bug reported by Security Tracker.

http://securitytracker.com/alerts/2004/Jan/1008849.html

Thanks!