MyBB Community Forums

Hi there,

Now firstly I would like to state this is just a hypothetical
scene.

Let's for a moment, say I had a daughter. Let's also, for a moment
say I had a FTP program open, and I left my chair for a moment
to go get a drink and something to eat. Now let's also say when I came
back, everything in my FTP was deleted and I was locked out of my
FTP/Cpanel/Forum accounts.

Now , based on this. Let's for a moment. Say that an SQL Database backup
still existed. But I don't know the name of the back.

Could, I still access this database download, if I could determine the name?.
------

So basically. Lets say my forums were royally screwed, I was locked out of
all my accounts, and the only way to restore it was to gain access to the
Databse download and set up a new server, and just upload the most
recent download of my DB.

------

I went through the code here::

@set_time_limit(0);
		
		if($mybb->input['method'] == 'disk')
		{
			$file = MYBB_ADMIN_DIR.'backups/backup_'.substr(md5($mybb->user['uid'].TIME_NOW), 0, 10).random_str(54);
			
			if($mybb->input['filetype'] == 'gzip')
			{
				if(!function_exists('gzopen')) // check zlib-ness
				{
					flash_message($lang->error_no_zlib, 'error');
					admin_redirect("index.php?module=tools/backupdb&action=backup");
				}
				
				$fp = gzopen($file.'.sql.gz', 'w9');
			}
			else
			{
				$fp = fopen($file.'.sql', 'w');
			}
		}
		else
		{
			$file = 'backup_'.substr(md5($mybb->user['uid'].TIME_NOW), 0, 10).random_str(54);
			if($mybb->input['filetype'] == 'gzip')
			{
				if(!function_exists('gzopen')) // check zlib-ness
				{
					flash_message($lang->error_no_zlib, 'error');
					admin_redirect("index.php?module=tools/backupdb&action=backup");
				}

And I notice this line here::

$file = 'backup_'.substr(md5($mybb->user['uid'].TIME_NOW), 0, 10).random_str(54);

And I was wondering. ..."wtf....".

So I had a few questions.

1) Why are you MD5'ing the user ID with the current time of backup,
and then adding 10 numbers to the random string of 54 numbers. (Unless
that's wrong).

2) Is there a way to determine the name, of a database back up I have
if I knew only 2 or 3 of the variables? (I know the date and time made.;
the user id, and where it's located.)

3) I know where the back ups are; they are here: ./backups/backup_**.sql.gz.

4) I also know that the SQL backup has the extension ".sql.gz"; I also know
that I can download it, if I knew the path name. (i tested this months ago).

So, like my question states. Is there a way to determine the backup name?
so I could download it, and then go to a new server upload the db, input
my domain name, and then report the other one?
----

Finally, what does this code here do: (I can't figure it out);;

$fp = gzopen($file.'.sql.gz', 'w9');
			}
			else
			{
				$fp = fopen($file.'.sql', 'w');
			}

-Viral.

The file name is random because there is no protection whatsoever otherwise. This means anyone could download the file if they only knew the name. The filename being random is the only thing that keeps anyone from doing just that. It's no problem for the server owner because he can see the file directly in the filesystem.

Talk to your host. Maybe they have backups. They are also the ones who can tell you what (if anything) is still there. If you don't have any backups yourself, that's your only chance.

Also, before you blame your daughter, blame yourself. You should always have backups locally, not just on your server. What do you do if the server's hard disk dies? This is something that can happen any time, without warning. Without backups, there is any number of things that can make you lose your data, ranging from harddisk failure over software bugs to human error or mischief.

Frost,

Lol. Like I said, it's just a hypothetical scene. I don't have a daughter (yet),
and I run a back up and download it to my external every once a week.

I was just wondering, if there was a way to determine the file name, and the
reason I ask, is there are a lot of people who don't like me. And well some of
them CLAIM to be hackers (no..they're not). And I'm just making absolutely sure
my websites are all safe by pentesting it myself (not that I dont have faith in MyBB).

So I was just thinking up every possible vulnerability.

So, if there is a way to determine the file name, that would help me out a lot.
What I've done to avoid this thus far is change the "backup_" to something
different (sorry to say I won't say what it is publicly ).

And changed the directory "backups" to something else as well. (Although I had to
edit the source code a bit.).

And the last bit of a code snippet I posted. If someone could answer..

-Viral.

If everything in your FTP was deleted, the backups would be deleted too, and unless your host has made backups independently, there would be no way to restore them and thus no point in knowing their names. Do not rely on files on your server. Download them, store them at home, lock the disks away if you have saboteurs (family) at home. Changing the directory backups and file name is stupid, it will cause you trouble with every update. MyBB already supports renaming the admin directory itself, that should be sufficient.

The code snippet you posted opens a file for writing. It tries as a compressed file first, and falls back to a uncompressed file if that wasn't possible. Later that filehandle opened there will be written to which is how the contents produced by the script will end up in the file on disk.

---

Also (since I've seen your other thread just now), you do realize that if you go "poking around MyBB's file and editing this and that", while you obviously don't have a clue what you're doing, there's a high chance that you're making it LESS secure? You do realize that, right? Right?

Riiight.

(2010-04-06, 07:24 PM)viral dragon Wrote: [ -> ]Let's for a moment, say I had a daughter. Let's also, for a moment
say I had a FTP program open, and I left my chair for a moment
to go get a drink and something to eat. Now let's also say when I came
back, everything in my FTP was deleted and I was locked out of my
FTP/Cpanel/Forum accounts.

Why would you get locked out of the forum and cPanel if an FTP client was open?? If all your files get deleted, reupload them and change your config details. You'll only lose data if the database itself is edited/deleted/overwritten.

(2010-04-06, 07:24 PM)viral dragon Wrote: [ -> ]Now firstly I would like to state this is just a hypothetical
scene.

It's hypothetical.. *tssk* Honestly Matt Also it was way too much to read so I skipped parts but that is what I was thinking deleting a DB through FTP?

A hypothetical scene should still be realistic

Not in my world it isn't