WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: WP-DB-Backup] huge security hole (23 posts)

  1. iamthechosenone
    Member
    Posted 5 years ago #

    hello, i tried creating a backup that would be emailed, but the email failed.
    I created a backup to server. But is the folder is writable then it is publicly available, right?

    I searched the net and found lots of peoples backups. Someone could use these to steal content including private posts and passwords.

    See this google search

  2. iamthechosenone
    Member
    Posted 5 years ago #

    Although I received the error when trying to backup via email, I still got the email. I would suggest users to use the email option to regularly and safely backup their database.

  3. Austin Matzko
    Member
    Posted 5 years ago #

    This bug should be fixed in version 2.2.1 of WP-DB-Backup.

  4. whooami
    Member
    Posted 5 years ago #

    I searched the net and found lots of peoples backups. Someone could use these to steal content including private posts and passwords.

    Nice. Great coding.

  5. ibnuasad
    Member
    Posted 5 years ago #

  6. whooami
    Member
    Posted 5 years ago #

    that just amazes me. I nearly blogged on that yesterday after I responded. Apparently the plugin no longer uses that directory, and that's great, now -- but the fact that it ever did use that sort of directory set up (non random) is just absolutely unbelievably shoddy coding. Im not just jaw droppingly irritated, I'm jaw droppingly surprised at such an obvious oversight.

  7. Matt Hill
    Member
    Posted 5 years ago #

    I was going to install this, but I think I'll stick to my existing backup system!

    Holy sweet jeezus.

  8. Lester Chan
    Member
    Posted 5 years ago #

    Grab my WP-DBManager .htaccess and place it in your backup folder and it should do the trick

    http://plugins.trac.wordpress.org/browser/wp-dbmanager/trunk/.htaccess

  9. Austin Matzko
    Member
    Posted 5 years ago #

    that just amazes me. I nearly blogged on that yesterday after I responded. Apparently the plugin no longer uses that directory, and that's great, now -- but the fact that it ever did use that sort of directory set up (non random) is just absolutely unbelievably shoddy coding.

    That's fine, but the plugin stopped using wp-content/backup/ (non-random directory) something like three years ago, before I took over development. It's a much different plugin today, so please don't use this as a reason to criticize it.

  10. iamthechosenone
    Member
    Posted 5 years ago #

    That's fine, but the plugin stopped using wp-content/backup/ (non-random directory) something like three years ago, before I took over development. It's a much different plugin today, so please don't use this as a reason to criticize it.

    I don't think it's shoddy coding. It is a prime example of users not fully knowing enough about their server to protect their files. Had used stopped people from viewing folders without index files, there would have been no problem. They could have even changed the permissions of the backups folder.

    Personally I have one e-mail account that I only use to store database backups. As an extra precaution, I also have my server run complete nightly backups. None of this requires in depth understanding of servers, just a basic understanding of cPanel or the admin panel your host uses.

    wp-db-backup is installed on every site I own. It is a fantastic plugin.

    I only found this security hole by accident and confirmed it with a google search. I'm happy it's helped secure the plugin.

  11. iamthechosenone
    Member
    Posted 5 years ago #

    Actually, if you want to start pointing blame, take a look at the wordpress upload folder. You may have the link to the file only available for registered users, but if you do not have the correct settings, you will find that anyone can access all your uploaded files.
    see this search

    whooami - Let me know if you want me to do a guest blogger article for your site on wordpress security.

  12. iamthechosenone
    Member
    Posted 5 years ago #

    You wouldnt get a "Professional" making a mistake like this, or would you. Even MIT.edu have backups in public view! http://mit.edu/~y_z/OldFiles/

  13. nemesis
    Member
    Posted 5 years ago #

    Hi,

    If this is a problem, what do you recommend that non-professionals/coders (like me) use or do to protect themselves?

    Thanks,
    Bob

  14. aguitta
    Member
    Posted 5 years ago #

    I think the plugin is great and I'm thankful to its developers.

    Does the new version:
    a. Avoid the security problems above?. (Aparently it does).
    b. What are key security areas to be checked, when installing this pluggin?. (Is it as easy as installing the newest version of the plugin?)
    c. (Some users might become more aware and pro/active about making sure their wp installation is safe, after reading the above comments, regardless of how they landed here). Where can we go, to know what to do, and feel better about our word press data?. (Is it as easy as up-grading to newest word pres?) (Weather it be back-ups, up-loads, etc.)
    Thank you,
    aguitta

  15. aguitta
    Member
    Posted 5 years ago #

    This is something I'm starting to read on the subject, http://wordpress.powersuccessdesign.com/wordpress-how-to/wordpress-security-tips-how-secure-is-your-wordpress-blog/comment-page-1
    I don't know how good it is, but some feed back from other users is welcome.
    Thank you,
    aguitta

  16. aguitta
    Member
    Posted 5 years ago #

  17. aguitta
    Member
    Posted 5 years ago #

    GAMERZ and FILOSOFO:

    What do you think of each/other's plugins?.

  18. kgrogan
    Member
    Posted 5 years ago #

    Right now, if the backup directory is not writable, the "Backup now!" button is not visible - even if you are not using the "Save to server" option.

    How about making the "Backup now!" button visible if either the "Download to your computer" or "Email backup" is set, and ignore the writable condition of the backup folder for these options. This way, people who don't want an all-everything directory on their server can still do a backup if they want it sent to their computer or by email.

  19. Lester Chan
    Member
    Posted 5 years ago #

    @aguitta: read the readme.html, you are supposed to move the htaccess which is included in the plugin to the backup directory. Also in the next version, I will check for whether the htaccess is inside the directory, if not it will display an error for the user.

  20. Alkorr
    Member
    Posted 5 years ago #

    Hi Gamerz, is the new version moving the htaccess already online or not yet?

    Great work by the way...

  21. FiberOptics
    Member
    Posted 5 years ago #

    i can't find the .htaccess file in any where

  22. 5starunited
    Member
    Posted 5 years ago #

  23. aguitta
    Member
    Posted 4 years ago #

    Gamerz, Thank you.

Topic Closed

This topic has been closed to new replies.

About this Topic