Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.
For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email firstname.lastname@example.org.
We have security audits and we found that there is the database password in clear text format in the local.xml file. We were surprised that this wasn’t encrypted. This will not pass our security audits so we are wondering how to get around this issue to not show this clear text password or encrypt it somehow. Thanks.
They would have to have access to your server to get to local.xml. Once they have access to your server it is impossible to protect encrypted or not. At some point PHP will have to know the password and at that point they can just do a memory dump of PHP and they have it.