[BUG] Backup tool directory exploration and media dir size

  • gabbuz

    (@gabbuz)


    9 years, 11 months ago

    Hello,
    I think to have found two bugs in the backup tool included in iThemes Security.

    The first is the directory exploration: some webservers have the directory exploration active as default (it means that if you visit a directory without an index page, it lists you the folders and files inside it).
    So, if someone tries to explore your website till the ./wp-content/uploads/ithemes-security/backups directory, it could freely access the full blog database backup. Am I right?

    The second bug comes with the WordPress network installation.
    As you know, you should set a quota for every blog in the network: this particular case will count the backups size in the main blog media quota.

    Let me know.

    Thanks,
    Gabriele

    https://wordpress.org/plugins/better-wp-security/

Viewing 3 replies - 1 through 3 (of 3 total)
  • iThemes Support

    (@ithemes-support)

    9 years, 11 months ago

    The first is not a bug at all. As we cannot reliably detect a location on every server we store the backups, by default, in a subdirectory of the uploads folder with a .htaccess file set to protect them as much as possible. We recommend, however, moving the backup folder outside of your website root which can be done through the settings.

    The second I will investigate further.

    Thread Starter gabbuz

    (@gabbuz)

    9 years, 11 months ago

    For the first, I can’t find the .htaccess you’re talking about.
    Is the .htaccess created automatically by the plugin?

    Is the second bug maybe related to the upload folder? Maybe the media space for the main blog is counted in the upload root folder?

    AlanJWoodward

    (@rogerleclerc)

    9 years, 11 months ago

    Hello,

    To add to the possible bugs, I think I’ve found two further ones (as I’ve posted here: Backup emails as well as saves locally.

    I can’t seem to change the backup folder (my preferred folder is not in the web root and yes, it’s writeable by the website account) and every time I make a backup, it’ll email it as well as saving it locally.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[BUG] Backup tool directory exploration and media dir size’ is closed to new replies.