Bugtraq: WordPress Database Backup feed icon

My WordPress Database Backup plugin appeared on Bugtraq today. The folks who found the directory traversal vulnerability didn't inform me about it. I don't know if they informed the WordPress security folks. A kind reader forwarded to me the announcement.

I don't have a fix at this time. Stay tuned here, or at the WordPress support forums.

UPDATE: Ryan Boren cooked up a fix for the directory traversal vulnerability. Download it here.

  • Wordpress Database Vulnerability · Aaron’s Webmaster Workshop
    August 15th, 2006
  • DaboBlog » Blog Archive » Vulnerabilidad Plugin WP-DB Backup para Wordpress
    August 16th, 2006
  • Janet
    August 18th, 2006 at 5:22pm
    I thought I'd drop a comment as I noticed your plugin on my WordPress admin today. It was kinda crazy to be just doing some random blog maintenance and say, "Hey, wait -- I actually know that guy!" Kudos!
  • Will
    August 20th, 2006 at 12:12am
    This probably seems a really stupid question, but it's all very well backing up, which I didn't have too much trouble once I'd changed the permissions, but how do I / we go about restoring from the backup. There doesn't seem to be a reverse procedure included. Any help appreciated. Thanks.
  • skippy
    August 20th, 2006 at 3:49pm
    Will: Restoring your database from backup on the Codex should tell you all you need to know.
  • Matt
    August 29th, 2006 at 5:44pm
    I think Ryan has made a small error in his full to your plugin. He specifies a list of regualr tables including link2cat but this table is in the 2.1 fork of development. Under 2.0.x this table is still called linkcategories. Users should make sure that they manually add this table to their backups.
  • Simon
    September 27th, 2006 at 12:13pm
    I've set the permissions of both wp-content and wp-content/backup to 777, but i still get the pop message "the backup file could not be saved. Please check your permissions for writing to the backup directory". Any ideas what might be causing this?
  • gutielua
    October 4th, 2006 at 11:31am
    I have a similar problem like simon, but this was (I think) from the second version of the 1.7 release. I come back to the first version to check if this works. It's too risk to set 777 are wp-content also. Regads!
  • gutielua
    October 10th, 2006 at 12:25pm
    Now works! I back to the firts version of 1.7. Now I got all backups on my e-mail box. Regards! @
  • Yorokobi
    November 26th, 2006 at 8:53am
    Does the current version of WP come with the more secure version of backup? (I downloaded WP on 11/25)
  • skippy
    November 26th, 2006 at 1:45pm
    Yorokobi: the backup plugin is under new management, so the versions hosted here should be different as Filosofo adds new features and fixes bugs. You can keep track of the new version here.
  • Spettinato
    December 12th, 2006 at 12:40am
    Hi Skippy, your version 1.7 works, but the security fix update has got some problem. It doesn't work cause it says there is a problem of writing permission on backup folder, but it is not true. In fact, if i replace with your version, 1.7, it works again.
  • skippy
    December 12th, 2006 at 12:53am
    Spettinato: my version 1.7 still contains the directory traversal bug. I haven't updated any of the versions I host here, and I am unlikely to do so. The backup plugin is under new management, so you'll likely want to pursue support with Il Filosofo.
  • Spettinato
    December 15th, 2006 at 2:19pm
    Tanx skippy.
  • Olivier Berger
    January 10th, 2007 at 8:10am
    Would it be possible to announce that this plugin is obsolete if version 1.8 is in the standard distribution now ? It's not really clear atm...

About | Policies | skippy.net