Board v 3.2.7 no more backup download available

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
User avatar
hurghanico
Registered User
Posts: 123
Joined: Mon May 07, 2018 10:59 am

Board v 3.2.7 no more backup download available

Post by hurghanico »

Hello,
I understand the security reasons behind some choices of the developers, but IMO it is a real pity that the possibility of downloading the backup from the acp maintenance panel has been removed.

I found that function very useful and fast to use, and thanks to it in the past I resurrected my board more than once using the last backup previously saved on my PC to load it directly into the database when even the acp was no longer usable.

I hope that it will be implemented again in future releases of the board, perhaps with more security measures, such as an additional password dedicated exclusively to that function.

What's your opinion about it?
User avatar
</Solidjeuh>
Registered User
Posts: 1788
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Board v 3.2.7 no more backup download available

Post by </Solidjeuh> »

You can download that backup from the /store folder via FTP
User avatar
invenio
Registered User
Posts: 341
Joined: Wed Dec 09, 2015 1:45 pm
Location: New Hampshire, USA
Contact:

Re: Board v 3.2.7 no more backup download available

Post by invenio »

I am also not exactly sure about what security risk this poses as if they get access to the admin account, they can pretty much read/change/delete anything on the board anyway. But I'm not an IT expert so maybe there is some security flaw that I am not aware of with downloading the DB.

I was using the direct download for my backups. I can save it manually and download with FTP so it's not a major issue, just an extra step I didn't have to take before.
User avatar
</Solidjeuh>
Registered User
Posts: 1788
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Board v 3.2.7 no more backup download available

Post by </Solidjeuh> »

That function is removed so that a hacker that accessed you founder account cannot download your whole database.
User avatar
hurghanico
Registered User
Posts: 123
Joined: Mon May 07, 2018 10:59 am

Re: Board v 3.2.7 no more backup download available

Post by hurghanico »

</Solidjeuh> wrote: Mon May 06, 2019 3:41 pm You can download that backup from the /store folder via FTP
Great!.. Thanks!
User avatar
invenio
Registered User
Posts: 341
Joined: Wed Dec 09, 2015 1:45 pm
Location: New Hampshire, USA
Contact:

Re: Board v 3.2.7 no more backup download available

Post by invenio »

Ok, this is probably a dumb question (forgive my ignorance), but what is in the database that the founder account would not have access to anyway?
User avatar
</Solidjeuh>
Registered User
Posts: 1788
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Board v 3.2.7 no more backup download available

Post by </Solidjeuh> »

The database contains the whole data from your forum. members, email addresses, posts, settings etc... someone who hacks your account can duplicate/steal you whole forum with that database, and have access to your members personal data.
User avatar
invenio
Registered User
Posts: 341
Joined: Wed Dec 09, 2015 1:45 pm
Location: New Hampshire, USA
Contact:

Re: Board v 3.2.7 no more backup download available

Post by invenio »

Yes, I was aware of that. But as a founder account, I can access members email address, posts, and setting (through the board and ACP) without having to download the database. Is it that downloading the database would just make it less laborious to collect all this data via the phpbb web interface?
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52768
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Board v 3.2.7 no more backup download available

Post by stevemaury »

There is a lot of data in the database not accessible from the ACP. PMs, for example. It would be difficult to impossible to reconstruct the database via the ACP alone.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Board v 3.2.7 no more backup download available

Post by EA117 »

Agreed. And even though their goal is probably not literally "database reconstruction" but just generally "obtain the information", to get "everything" you'd have to be prepared to scrape a bunch of different pages in ACP per user to collect that info, and hope that your compromised account and online access utilization of the live board will go undetected until you're finished scraping thousands of users and posts.

Database download gives you all of that in seconds, without necessary preparation, and in one shot; 100% of data compromised, in little to no time.

And as Steve said, there are important things they wouldn't be able to collect using the ACP, either. For example, if they wanted to collect and test against the password hashes of the user accounts; you can't "see" or "get" that through ACP, but it's in the database. And as mentioned, there isn't a path in standard phpBB ACP to read a user's private message inbox or outbox.

Overall, even though I agree that "it seems weird that there isn't a secure way to do that", it also seems like a good compromise to have implemented a change that requires "the intruder will need to have compromised your actual hosting account, too" in order to easily get "everything." Versus "having compromised phpBB alone is enough" to have enabled such a quick and complete "hit & run" data exposure.
Post Reply

Return to “[3.2.x] Support Forum”