Security issue

[freayd]

The wp-content/backups folder is not well protected against web access.

The only protection is the blank index.php file which prevents someone to list the directory content. But that doesn't prevent someone to access the files in this directory :

• [database name]-backup-core.sql
• [database name]-backup-plugins.sql
• wpb2d-backup-log.txt
• any other (temporary) backup file?

This issue can be easily resolved : add a .htaccess file in the wp-content/backups folder with the following content :

Order Deny,Allow
Deny from all

If you still want to give access to the index.php file (I'm not shure this is useful), you can add this code to the .htaccess file :

<Files "index.php">
    Order Allow,Deny
    Allow from all
</Files>

Please push this patch quickly as it fix a major security issue.

[freayd]

I forgot one thing (a bit more difficult to implement) : the .htaccess file should be moved when the setting "Store backup in a subfolder of the wpb2d app folder" is enabled / modified.

[michaeldewildt]

Gday mate,

I cannot just add a .htaccess file because many servers do not have Apache setup to read it. So, to fix this issue I have opted for the "security by obscurity approach" so all users benefit.

As of version 1.5 the plugin will add a sha1 secret to the end of the DB dumps and any zip archives making them impossible to guess. In addition, the "silence is golden" index.php file makes it so the directory contents cannot viewed.

The sha1 secret is stripped before the files are uploaded to Dropbox to make for a nicer UX.

Cheers, Mikey

[freayd]

Adding a random string to the SQL filenames is a good option, BUT :

1. Do not use a SHA1 of something predictable like sha1(date()). The best secure random function is openssl_random_pseudo_bytes but unfortunately it is not available in all configurations. An reasonably good alternative is to use uniqid(mt_rand(), true). I found that these functions are used in Symfony SecureRandom.php script.
2. A random string must also be added to the log filename which reveals the SQL filenames and other potentially secure informations.

[michaeldewildt]

1. The secret is generated using this:

hash_hmac('sha1', DB_NAME, time())

So unless the attacker knows you database name and the exact second the secret was generated they are shit out of luck. I suppose adding a random number in there too cant hurt.

1. The file names are stripped of the secret before logged so this shouldn't be an issue. But I can add the same secret to the log file just in case.

[freayd]

1. I think a completely random is most secure than a hash. A hash is not that bad, but it can be guessed.
2. If the log is not secured, one can read the database name and the time. So the hash isn't secure by this way. A secret (hash or random) should be added to the log filename. IMHO a log should never be visible to anyone as it always contains critical informations.

[freayd]

Thanks for the improvement in 1.6.1

[michaeldewildt]

No worries.

[freayd]

A last thought : old wpb2d-backup-log.txt file should be erased. You could add an unlink call in the wpb2d_install function.