backup can be downloaded from any browser

satchid

Joined
Sep 13, 2007
Messages
57
Likes
0
Points
0
#1
Dear Sir,

When you make a backup from an elastix then there is a file created with all the configurations and extensions including the extensions passwords. Just executing an elastix public Ip & /backup/ behind it in a browser will let anybody download this file(s) without any protection. I tested this on an elastix that is running as a test server.

I executed the link like this: with https:// in front
"https://xxx.xxx.xxx.xxx/backup/"


If you are a moderator, then I can give you my server address to test this.

I asked a friend to test this on my server and she could download both of my backup files without any password.

I wonder if this could allso be protected behind the admin password.
Thanks,

W Gooris
 

netsfk

Joined
Jan 16, 2009
Messages
197
Likes
0
Points
0
#2
You can create user accounts without many privileges
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#3
On my system I can't list directly the backup folder, either if I'm logged or not. I can only access the file list by the interface. However if you know the backup file's names, you can access to them.
 

satchid

Joined
Sep 13, 2007
Messages
57
Likes
0
Points
0
#4
Hi,

Thanks for the reply's

This is how I did it:

I installed the latest elastix 1.5.2

then I installed/upgraded backup
Backup & Restore tool 2.5.1.6 Enabled

then i made 2 backups.

the I set the elastix to my fixed IP adres

then I opened the browser

I got in as folows:

https: //123.234.456.789/backup/ (remove the spaces)
atachment in folowing mail

Thanks,
 

satchid

Joined
Sep 13, 2007
Messages
57
Likes
0
Points
0
#5
here is atchment
 

jaschenck

Joined
Apr 19, 2009
Messages
50
Likes
0
Points
0
#6
you are correct you can access the files that way.
First I would not expose the web interface to the out side world.
If for some reason I had to I would use htaccess to limit who can get to it.

Jim
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#7
The developer team es aware of this and are working to correct this issue.

regards,

rafael
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,886
Members
17,563
Latest member
dineshr
Top