When installing www-apps/horde-3.1.1 +mysql -vhosts the database create scripts in htdocs/horde/scripts/sql are world readable (also via web). When someone uses the install description in /usr/share/doc/horde-3.1.1/INSTALL.gz section 6. vi create.mysql.sql mysql -u root -p < create.mysql.sql and does not remove or modify permission of the create.mysql.sql file the password is visible. The files should be installed with 600 (it seems the test.php is installed with 000 for security reasons also?).
updated 3.1.1-r1 to force 600 on scripts/sql/create.*.sql cheers