backup can be downloaded from any browser

Discussion in 'General' started by satchid, Apr 25, 2009.

  1. satchid

    Joined:
    Sep 13, 2007
    Messages:
    57
    Likes Received:
    0
    Dear Sir,

    When you make a backup from an elastix then there is a file created with all the configurations and extensions including the extensions passwords. Just executing an elastix public Ip & /backup/ behind it in a browser will let anybody download this file(s) without any protection. I tested this on an elastix that is running as a test server.

    I executed the link like this: with https:// in front
    "https://xxx.xxx.xxx.xxx/backup/"


    If you are a moderator, then I can give you my server address to test this.

    I asked a friend to test this on my server and she could download both of my backup files without any password.

    I wonder if this could allso be protected behind the admin password.
    Thanks,

    W Gooris
     
  2. netsfk

    Joined:
    Jan 16, 2009
    Messages:
    197
    Likes Received:
    0
    You can create user accounts without many privileges
     
  3. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    On my system I can't list directly the backup folder, either if I'm logged or not. I can only access the file list by the interface. However if you know the backup file's names, you can access to them.
     
  4. satchid

    Joined:
    Sep 13, 2007
    Messages:
    57
    Likes Received:
    0
    Hi,

    Thanks for the reply's

    This is how I did it:

    I installed the latest elastix 1.5.2

    then I installed/upgraded backup
    Backup & Restore tool 2.5.1.6 Enabled

    then i made 2 backups.

    the I set the elastix to my fixed IP adres

    then I opened the browser

    I got in as folows:

    https: //123.234.456.789/backup/ (remove the spaces)
    atachment in folowing mail

    Thanks,
     
  5. satchid

    Joined:
    Sep 13, 2007
    Messages:
    57
    Likes Received:
    0
    here is atchment [​IMG]
     
  6. jaschenck

    Joined:
    Apr 19, 2009
    Messages:
    50
    Likes Received:
    0
    you are correct you can access the files that way.
    First I would not expose the web interface to the out side world.
    If for some reason I had to I would use htaccess to limit who can get to it.

    Jim
     
  7. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
    The developer team es aware of this and are working to correct this issue.

    regards,

    rafael
     

Share This Page