Closed freayd closed 11 years ago
I forgot one thing (a bit more difficult to implement) : the .htaccess file should be moved when the setting "Store backup in a subfolder of the wpb2d app folder" is enabled / modified.
Gday mate,
I cannot just add a .htaccess file because many servers do not have Apache setup to read it. So, to fix this issue I have opted for the "security by obscurity approach" so all users benefit.
As of version 1.5 the plugin will add a sha1 secret to the end of the DB dumps and any zip archives making them impossible to guess. In addition, the "silence is golden" index.php file makes it so the directory contents cannot viewed.
The sha1 secret is stripped before the files are uploaded to Dropbox to make for a nicer UX.
Cheers, Mikey
Adding a random string to the SQL filenames is a good option, BUT :
sha1(date())
. The best secure random function is openssl_random_pseudo_bytes
but unfortunately it is not available in all configurations. An reasonably good alternative is to use uniqid(mt_rand(), true)
. I found that these functions are used in Symfony SecureRandom.php script.hash_hmac('sha1', DB_NAME, time())
So unless the attacker knows you database name and the exact second the secret was generated they are shit out of luck. I suppose adding a random number in there too cant hurt.
Thanks for the improvement in 1.6.1
No worries.
A last thought : old wpb2d-backup-log.txt file should be erased. You could add an unlink
call in the wpb2d_install
function.
The wp-content/backups folder is not well protected against web access.
The only protection is the blank index.php file which prevents someone to list the directory content. But that doesn't prevent someone to access the files in this directory :
This issue can be easily resolved : add a .htaccess file in the wp-content/backups folder with the following content :
If you still want to give access to the index.php file (I'm not shure this is useful), you can add this code to the .htaccess file :
Please push this patch quickly as it fix a major security issue.