My WordPress Database Backup plugin appeared on Bugtraq today. The folks who found the directory traversal vulnerability didn't inform me about it. I don't know if they informed the WordPress security folks. A kind reader forwarded to me the announcement.
I don't have a fix at this time. Stay tuned here, or at the WordPress support forums.
UPDATE: Ryan Boren cooked up a fix for the directory traversal vulnerability. Download it here.
[...] Skippy.net mentions that there was a vulnerability found in his Wordpress Database Backup plugin that comes with Wordpress. [...]
[...] Aclarar que es necesario estar conectado como administrador para llevar a cabo el ataque (directorio transversal). La solución pasa por actualizar el plugin desde aquí. Fuente original. [...]
I thought I'd drop a comment as I noticed your plugin on my WordPress admin today. It was kinda crazy to be just doing some random blog maintenance and say, "Hey, wait -- I actually know that guy!" Kudos!
This probably seems a really stupid question, but it's all very well backing up, which I didn't have too much trouble once I'd changed the permissions, but how do I / we go about restoring from the backup. There doesn't seem to be a reverse procedure included. Any help appreciated. Thanks.
Will: Restoring your database from backup on the Codex should tell you all you need to know.
I think Ryan has made a small error in his full to your plugin.
He specifies a list of regualr tables including link2cat but this table is in the 2.1 fork of development. Under 2.0.x this table is still called linkcategories.
Users should make sure that they manually add this table to their backups.
I've set the permissions of both wp-content and wp-content/backup to 777, but i still get the pop message "the backup file could not be saved. Please check your permissions for writing to the backup directory".
Any ideas what might be causing this?
I have a similar problem like simon, but this was (I think) from the second version of the 1.7 release. I come back to the first version to check if this works.
It's too risk to set 777 are wp-content also.
Regads!
Now works!
I back to the firts version of 1.7. Now I got all backups on my e-mail box.
Regards!
@
Does the current version of WP come with the more secure version of backup? (I downloaded WP on 11/25)
Yorokobi: the backup plugin is under new management, so the versions hosted here should be different as Filosofo adds new features and fixes bugs.
You can keep track of the new version here.
Hi Skippy, your version 1.7 works, but the security fix update has got some problem. It doesn't work cause it says there is a problem of writing permission on backup folder, but it is not true. In fact, if i replace with your version, 1.7, it works again.
Spettinato: my version 1.7 still contains the directory traversal bug. I haven't updated any of the versions I host here, and I am unlikely to do so. The backup plugin is under new management, so you'll likely want to pursue support with Il Filosofo.
Tanx skippy.
Would it be possible to announce that this plugin is obsolete if version 1.8 is in the standard distribution now ?
It's not really clear atm...