I purchased a free site on Cloudaccess.net to take it for a test [[drive]]. Unfortunately I was unpleasantly surprised about their backup procedure.
Their CP creates a folder of X length with random name in your httpdocs folder, accessible by the public web for anyone and this is a link to their backup folder which is one step above (ie safe/secure...or at least was). Now on the public web there is an access point to your backups....I tested this by visiting a public facing url and voila I could download my entire database sql file and compressed file system from my browser without any hassle.
Now the file system isn't as big of a deal, in most cases it's Joomla which is open source and available freely. However if there's additional stuff on the file system that's not good.
And the database...that's sacred and has all your intellectual property, user data, possibly customer data, and just about everything and that really worried me.
Their support staff assured me that any brute force attempt would be unlikely but that yes it was publicly facing. I don't see how that can meet any standards for anyone or any compliance PCI, ISO whatever, but I guess it could be considered the same as brute forcing the control panel login w/ username/password than accessing your data but you'd expect more security measures on control panel access (ie brute force, logging, etc. measures) where as the publicly facing web has nothing really.
Than I also realized that you can't give FTP access to anyone...the moment you do you've now compromised your entire file system and database because anyone using FTP can see that directory in httpdocs and go to your backups and download them. The argument was presented about the joomla config having db information, but with a linux user system it's possible to not have access to config and not have access to direct download your db and file system when giving out FTP access....People work in teams or need freelancers and etc. and giving FTP access doesn't mean you're giving carte blanche to your entire file system, data, and everything....but that's would cloudaccess support suggested which makes me question their security and knowledge about this domain.
So in my opinion what I've listed above just isn't acceptable, secure, or what I'd expect from a company providing these services. I never would have even known about this unless I just randomly ftp'ed in for something and noticed the extra directory.
I've done a lot of sites, programming, system admin stuff, and I never would set up something like they have. And I've also done a lot of ftp servers, jailing, and proper segregation before where multiple different clients access ftp servers but we don't give them access to our database or each others stuff....that just seems ludicrous.
Does anyone have any thoughts or comments on this?
via Joomla! http://ift.tt/1BughN6
Their CP creates a folder of X length with random name in your httpdocs folder, accessible by the public web for anyone and this is a link to their backup folder which is one step above (ie safe/secure...or at least was). Now on the public web there is an access point to your backups....I tested this by visiting a public facing url and voila I could download my entire database sql file and compressed file system from my browser without any hassle.
Now the file system isn't as big of a deal, in most cases it's Joomla which is open source and available freely. However if there's additional stuff on the file system that's not good.
And the database...that's sacred and has all your intellectual property, user data, possibly customer data, and just about everything and that really worried me.
Their support staff assured me that any brute force attempt would be unlikely but that yes it was publicly facing. I don't see how that can meet any standards for anyone or any compliance PCI, ISO whatever, but I guess it could be considered the same as brute forcing the control panel login w/ username/password than accessing your data but you'd expect more security measures on control panel access (ie brute force, logging, etc. measures) where as the publicly facing web has nothing really.
Than I also realized that you can't give FTP access to anyone...the moment you do you've now compromised your entire file system and database because anyone using FTP can see that directory in httpdocs and go to your backups and download them. The argument was presented about the joomla config having db information, but with a linux user system it's possible to not have access to config and not have access to direct download your db and file system when giving out FTP access....People work in teams or need freelancers and etc. and giving FTP access doesn't mean you're giving carte blanche to your entire file system, data, and everything....but that's would cloudaccess support suggested which makes me question their security and knowledge about this domain.
So in my opinion what I've listed above just isn't acceptable, secure, or what I'd expect from a company providing these services. I never would have even known about this unless I just randomly ftp'ed in for something and noticed the extra directory.
I've done a lot of sites, programming, system admin stuff, and I never would set up something like they have. And I've also done a lot of ftp servers, jailing, and proper segregation before where multiple different clients access ftp servers but we don't give them access to our database or each others stuff....that just seems ludicrous.
Does anyone have any thoughts or comments on this?
Statistics: Posted by sitesrus — Thu Jan 29, 2015 3:34 pm
via Joomla! http://ift.tt/1BughN6
No comments:
Post a Comment