MyBB Community Forums

So this is my first post here on MyBB but i have been using MyBB for awhile now and along the way have picked up some security techniques. In this tutorial i'm going to show you how to remove the ability to backup your database via the AdminCP and here's why. To be fair there's no point in there being an option to backup your database via the AdminCP, for starters it's just an easier way for a hacker etc to get your database and any site owner can backup their database through their phpmyadmin. Anyway onto the tutorial.

1). Locate the files, backupdb.php and optimizedb.php in the directory, YOURADMINCPDIR -> modules -> tools. Now with these two files just simply delete them.

2). In the same directory locate the file, module_meta.php. Open it up and go to line 28 and comment it out and do the same to line 29 so the 2 lines now look like this,

//$sub_menu['60'] = array("id" => "backupdb", "title" => $lang->database_backups, "link" => "index.php?module=tools-backupdb");
//$sub_menu['70'] = array("id" => "optimizedb", "title" => $lang->optimize_database, "link" => "index.php?module=tools-optimizedb");

3). Now locate the file, module_meta.php in the directory YOURADMINCPDIR -> modules -> home. And open it up. Now go to line 67 and comment out that line so it looks like this,

//$sub_menu['60'] = array("id" => "backupdb", "title" => $lang->database_backups, "link" => "index.php?module=tools-backupdb");

4). Now you're done, there will be no option to make database backups via your AdminCP, when users go to the url to make a backup they will be presented with a PHP and SQL error which may surprise them .

Or you could turn backupdb.php into a redirect. But I guess one benefit to this is that you can easily revert it.

A redirect can also be created, but then I don't see how a Admin wants to revert it. Anyways, good tutorial though.

^ Some people don't have a grasp of phpmyadmin.

Tried redirect with no luck, admin still can download db backups.

(2013-05-30, 09:34 PM)hwpe Wrote: [ -> ]Tried redirect with no luck, admin still can download db backups.

Err... Easy way:

In /admin/modules/tools rename backupdb.php to oldbackupdb.php (So you can easily revert)
Chmod oldbackupdb.php to 000
Add a new file called backupdb.php
In the file add:

<?php
echo "Access denied";
?>

If someone clicks the backup function in the ACP, it will show a plain "Access denied" message.

This is a nice tutorial thanks for this! very great feature to add if you have multiple admins.

The even easier way is to just use Admin Permissions which is built in.

(2013-09-08, 03:57 PM)dragonexpert Wrote: [ -> ]The even easier way is to just use Admin Permissions which is built in.

No one should ever have permission to do so. If you don't trust the person, they shouldn't even know the URL of the ACP. This is also so that if the owner, etc, co owner, w/e account(s) get compromised the database is still safe. This feature on any forum software isn't realistic for a decent sysadmin.

The admin permissions would work for most purposes, but if someone hacks the founding administrator's account, they could still export the database by changing the admin permissions to allow administrators to export the databases. It's harder to work around the limitations if the ability to export the database is removed in the code.

That said, I think the better solution for the administrator who isn't familiar with phpmyadmin is to avoid using insecure plugins and to only bring on administrators that can be trusted, but different things work for different people.