Wishlist Member allows a major security hole in the backup directory. Here’s how to plug it.
Depending on your hosting/server setup, anyone can view the contents of your backup directory, and download your backup files. This is a huge security hole.
-
To Fix:
Unzip and upload the following file to the backup directory at:
/wp-content/wishlist-backup
Contents of .htaccess
<Limit GET POST>
deny from all
</Limit>
the release notes on WL site, dated Nov 17th when 2.5 was released say –
Build 786 (Development)
[BUGFIX]
◦fixed potential security vulnerability in the WLM backup system. Old system left a hole where an attacker could potentially access one of your backup files and make a clone of your website. New system blocks this hole, so even if an attacker know the exact web address of one of your backups, he/she won’t be able to access it.
So I would interpret that as meaning the hole has been fixed prior to this video of yours on Dec. 15th. Are you saying that’s not the case?
It may have been fixed for the next release, however the current active release version 2.50.782 did not prevent me from accessing the backup file. the support email i received back from wishlist did not say it was fixed either- instead said thank you, referred to the tech support dept.
Build 786 (Development) means its not for public use, so you need to fix it yourself until the v786 is released.
Public Release Build 832 has now fixed the hole Feb. 05, 2011.