Security flaw: web accessible .sql dump
-
Hello,
The plugin looks really promising! While I’m still trying to make it work (at least on Windows it’s not working, the details are in another thread) I’ve already noticed a serious security breach – .sql dump file is saved in /wp-content/uploads/ folder and is accessible from web by anyone.
You should instruct users how to limit access to this file via .htacces and Nginx conf, or (preferably) write it automatically (at least to .htaccess, with Nginx conf it might be impossible).I’m not good in .htaccess directives, use this cheat sheet to write proper rule: http://borkweb.com/story/apache-rewrite-cheatsheet
For Nginx conf it will be this:
location ~ \.sql { deny all; }
Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
- The topic ‘Security flaw: web accessible .sql dump’ is closed to new replies.
