Piwik doesn't prevent listing of some key directories such as
config/. This could help identifying piwik's running version.
index.html files in those directories solves the problem.
Isn't this something that should be disabled in the webserver config instead? Any production server should have dirlisting disabled by default, though most shared hosters will probably not do this...
indeed. you can always add a .htaccess with "Deny from all"
If you really want to fix this problem, you should also make sure that files and dirs like README, tmp, tests, misc, etc. are removed as well. Even better, any php files that are not meant to be called directly (ie, anything but piwik.php and index.php I guess) should be outside of the document root as well.
Piwik might could make this setup easier by supplying a "htdocs" dir, which contains all files that should be in the document root. This will slightly complicate the default "put everything in the docroot" install approach (in particular, "htdocs" will show up in the url), but most of this should be solved by symlinking just index.php and perhaps piwik.php outside of the document root. The more advanced user can then just symlink only the htdocs directory into the documentroot (which contains index.php, piwik.php/js, robots.txt and the themes' css and js).
Anyway, perhaps this should be a seperate ticket, if anyone cares...
Fixed in .