I want some expert advice for the following.
Suppose a Magento site has exposed local.xml in browser like following way.
http://www.example.com/app/etc/local.xml and
http://www.example.com/RELEASE_NOTES.txt I know that local.xml contains sensitive information, but if release notes are also exposed what kind of and how severe security breach can happen?
The RELEASE NOTES disclose the exactly used version and makes it easy for attackers to search for Magento versions with known vulnerabilities.
Note that removing them does not make it impossible to figure out the version (see: Determine Magento version without access to code base) but at least sets the hurdle a bit higher.
As for app/etc/local.xml, you answered it yourself: The most sensitive information are the database credentials. However, you should configure MySQL to not allow access from outside anyways.
By the way, if app/etc/local.xml is exposed, chances are, that app/etc/applied.patches.list is exposed as well and this is worse than exposing the release notes because it shows exactly which security patches have been applied (and implicitly, which have not been applied). This is valuable information for a potential attacker and makes it easy to find weaknesses.
