vb.org Archive
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Are you able to download the database directly from AdminCP? (https://vborg.vbsupport.ru/showthread.php?t=305502)

Max Taxable 12-06-2013 04:50 PM
Quote:
Originally Posted by Digital Jedi (Post 2466293)
I guess it was useful for downloading individual tables, in addition to the CSV backup. But I don't think I've ever heard of anyone's site being compromised through that specific feature. I mean, once you have admin access, there's better ways into the server.
If you have only adminCP access, not really. It doesn't necessarily follow that those credentials get you into the server too.

I definitely agree with blind-eddie and you this was a major security flaw in v3.

Zachery 12-06-2013 05:40 PM
Quote:
Originally Posted by Max Taxable (Post 2466298)
If you have only adminCP access, not really. It doesn't necessarily follow that those credentials get you into the server too.

I definitely agree with blind-eddie and you this was a major security flaw in v3.
It would be pretty trivial to re-add the functionality via a creative plugin, or template, or a bit of both. So it all depends on how skilled an admin is and if you're giving them access to stuff like plugins/templates and trust them.

We removed the backup functionality because it was not dependable to create quality backups. Instead of spending additional time improving it, it was removed. We'd recommend that customer use better tools like the raw MySQLdump command line too, or software designed to do backups like mysqldumper.

Max Taxable 12-06-2013 05:47 PM
I'm not a fan of it so i am definitely not calling for it in v4 or v5.

tbworld 12-06-2013 05:47 PM
Thanks @Zachery, for the explanation. ;)

Digital Jedi 12-06-2013 05:54 PM
Quote:
Originally Posted by Max Taxable (Post 2466298)
If you have only adminCP access, not really. It doesn't necessarily follow that those credentials get you into the server too.

I definitely agree with blind-eddie and you this was a major security flaw in v3.
No more or less secure than the ability to run queries from the Admin CP. Come to think of it, that's of those other ways in.

Max Taxable 12-06-2013 05:55 PM
Quote:
Originally Posted by Digital Jedi (Post 2466319)
No more or less secure than the ability to run queries from the Admin CP. Come to think of it, that's of those other ways in.
Right but, being able to download the tables is unique to v3 and earlier. Plus, the ability to run queries must be permissioned in config file.

Digital Jedi 12-06-2013 06:00 PM
Quote:
Originally Posted by Max Taxable (Post 2466320)
Right but, being able to download the tables is unique to v3 and earlier. Plus, the ability to run queries must be permissioned in config file.
It doesn't seem to be something that was ever used, at least not proficiently. And it was in vB 3 as far back as I can remember. I'm not entirely sure it isn't tied to a script permission, but I'd have to check. It just seems like it was so unreliable not even hackers bothered with it.

Max Taxable 12-06-2013 06:02 PM
Quote:
Originally Posted by Digital Jedi (Post 2466329)
It doesn't seem to be something that was ever used, at least not proficiently. And it was in vB 3 as far back as I can remember. I'm not entirely sure it isn't tied to a script permission, but I'd have to check. It just seems like it was so unreliable not even hackers bothered with it.
Or they might not have known about it. It IS a obscure function.

Zachery 12-06-2013 06:52 PM
Quote:
Originally Posted by Digital Jedi (Post 2466329)
It doesn't seem to be something that was ever used, at least not proficiently. And it was in vB 3 as far back as I can remember. I'm not entirely sure it isn't tied to a script permission, but I'd have to check. It just seems like it was so unreliable not even hackers bothered with it.
It was used pretty often by some customers, I remember getting complaints about it early on in vB4's life cycle. But honestly, people who used the tool rarely got full backups, which caused more problems.

We removed it for the sake of causing less problems in the long run, IIRC.

ozzy47 12-06-2013 08:18 PM
TBH, on smaller boards, I still use this, https://vborg.vbsupport.ru/showthread.php?t=192488

I had to tweak it a bit to get it to work on vB4 but it does it's job.


All times are GMT. The time now is 08:23 PM.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01297 seconds
  • Memory Usage 1,746KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete