Support » Requests and Feedback » [Plugin: WP-DB-Backup] huge security hole

  • hello, i tried creating a backup that would be emailed, but the email failed.
    I created a backup to server. But is the folder is writable then it is publicly available, right?

    I searched the net and found lots of peoples backups. Someone could use these to steal content including private posts and passwords.

    See this google search

Viewing 15 replies - 1 through 15 (of 22 total)
  • Although I received the error when trying to backup via email, I still got the email. I would suggest users to use the email option to regularly and safely backup their database.

    This bug should be fixed in version 2.2.1 of WP-DB-Backup.

    whooami

    (@whooami)

    Member

    I searched the net and found lots of peoples backups. Someone could use these to steal content including private posts and passwords.

    Nice. Great coding.

    a

    (@ibnuasad)

    whooami

    (@whooami)

    Member

    that just amazes me. I nearly blogged on that yesterday after I responded. Apparently the plugin no longer uses that directory, and that’s great, now — but the fact that it ever did use that sort of directory set up (non random) is just absolutely unbelievably shoddy coding. Im not just jaw droppingly irritated, I’m jaw droppingly surprised at such an obvious oversight.

    I was going to install this, but I think I’ll stick to my existing backup system!

    Holy sweet jeezus.

    Grab my WP-DBManager .htaccess and place it in your backup folder and it should do the trick

    http://plugins.trac.wordpress.org/browser/wp-dbmanager/trunk/.htaccess

    that just amazes me. I nearly blogged on that yesterday after I responded. Apparently the plugin no longer uses that directory, and that’s great, now — but the fact that it ever did use that sort of directory set up (non random) is just absolutely unbelievably shoddy coding.

    That’s fine, but the plugin stopped using wp-content/backup/ (non-random directory) something like three years ago, before I took over development. It’s a much different plugin today, so please don’t use this as a reason to criticize it.

    iamthechosenone

    (@iamthechosenone)

    That’s fine, but the plugin stopped using wp-content/backup/ (non-random directory) something like three years ago, before I took over development. It’s a much different plugin today, so please don’t use this as a reason to criticize it.

    I don’t think it’s shoddy coding. It is a prime example of users not fully knowing enough about their server to protect their files. Had used stopped people from viewing folders without index files, there would have been no problem. They could have even changed the permissions of the backups folder.

    Personally I have one e-mail account that I only use to store database backups. As an extra precaution, I also have my server run complete nightly backups. None of this requires in depth understanding of servers, just a basic understanding of cPanel or the admin panel your host uses.

    wp-db-backup is installed on every site I own. It is a fantastic plugin.

    I only found this security hole by accident and confirmed it with a google search. I’m happy it’s helped secure the plugin.

    iamthechosenone

    (@iamthechosenone)

    Actually, if you want to start pointing blame, take a look at the wordpress upload folder. You may have the link to the file only available for registered users, but if you do not have the correct settings, you will find that anyone can access all your uploaded files.
    see this search

    whooami – Let me know if you want me to do a guest blogger article for your site on wordpress security.

    iamthechosenone

    (@iamthechosenone)

    You wouldnt get a “Professional” making a mistake like this, or would you. Even MIT.edu have backups in public view! http://mit.edu/~y_z/OldFiles/

    nemesis

    (@nemesis)

    Hi,

    If this is a problem, what do you recommend that non-professionals/coders (like me) use or do to protect themselves?

    Thanks,
    Bob

    aguitta

    (@aguitta)

    I think the plugin is great and I’m thankful to its developers.

    Does the new version:
    a. Avoid the security problems above?. (Aparently it does).
    b. What are key security areas to be checked, when installing this pluggin?. (Is it as easy as installing the newest version of the plugin?)
    c. (Some users might become more aware and pro/active about making sure their wp installation is safe, after reading the above comments, regardless of how they landed here). Where can we go, to know what to do, and feel better about our word press data?. (Is it as easy as up-grading to newest word pres?) (Weather it be back-ups, up-loads, etc.)
    Thank you,
    aguitta

    aguitta

    (@aguitta)

    This is something I’m starting to read on the subject, http://wordpress.powersuccessdesign.com/wordpress-how-to/wordpress-security-tips-how-secure-is-your-wordpress-blog/comment-page-1
    I don’t know how good it is, but some feed back from other users is welcome.
    Thank you,
    aguitta

    aguitta

    (@aguitta)

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘[Plugin: WP-DB-Backup] huge security hole’ is closed to new replies.