Support

Akeeba Backup for Joomla!

#23661 Joomla update kills FTP

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by nicholas on Friday, 06 November 2015 12:49 CST

Thursday, 05 November 2015 13:44 CST

kkevents
Description of my issue:

I have replicated on multiple websites on the same server not being able to FTP to remote server.

I have upgraded to the latest backup 4.4.3 and it worked fine until I upgraded to Joomla 3.4.5. After the upgrade when I go to to the configuration page for the FTP details it loops back to the Home directory of the joomla server it self instead of going to the remote FTP server. I have tried this on a few sites with the same results. It seems something in Joomla 3.4.5 is causing an issue.

Thursday, 05 November 2015 14:28 CST

dlb
Just so I'm sure we are on the same page, you are talking about post processing the backup archive to a remote FTP server, right?

This may be a bad install of Akeeba Backup. Download the archive from our website and install it through the Joomla! installer twice, back to back, without doing anything else in between. Do not uninstall, that will cause you to lose all your settings and possibly your stored backup archives.

If that does not fix the problem, please post a log from a failed backup.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Thursday, 05 November 2015 18:37 CST

kkevents
I have already done that several times prior to submitting a ticket, and I also uninstalled and reinstalled twice. I have done this on three separate sites and they are all the same issue. After updating to Joomla 3.4.5 the issue begins.

This just isn't localized to post processing. The problem is when I put in my credentials to my remote FTP server and I test the connection I get a successful message. But when I go to select the proper directory for the backup I get the Joomla Server home directory on the server where Akeeba is and no my FTP server. Its like Joomla is redirecting the FTP back to it self.

The browse button is no longer there and in the directory selection I get:
/home/user/public_html/administrator/components/com_akeeba/backup

Not my FTP server directory.

I have reproduced this issue several times. I have been using Akeeba Backup for several years and have been using the same FTP server back setup also for several years since it became available.

Thursday, 05 November 2015 19:25 CST

kkevents
I was able to workaround the issue by making the FTP user go to just the specific specific folder so I only needed "/" instead of the normal path. It looks like you just can not browse the remote FTP server directory like I could before the update, only browse the local directories.

As a test I stayed on version 4.4.1 and upgraded Joomla to 3.4.5 had no issues, upgraded to 4.4.2 then had the issue, then upgraded to 4.4.3 and the issue remains.

Thursday, 05 November 2015 22:05 CST

dlb
I apologize, I had envisioned a different problem.

Yes, the browse button is gone in this version. It has always been unreliable, it worked on some servers but didn't work on others. It seemed safer to get rid of it rather than have something that was inconsistent.

You do need to manually enter the remote server path in the path field. You can find it by connecting to your remote site with your FTP client and copying the remote path.

It seems to be picking up the Output Folder on the current server as the default. You're right, I don't understand the logic there either. Nicholas is thinking something different than we are.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Friday, 06 November 2015 09:27 CST

kkevents
So this is intentional? It seems more of a bug and a security risk. It is showing the directory structure of the main server well above the user directories. Its showing the stuff like the bin, lib64, mnt, etc.

I can't imagine that would be of any use to anyone since it isn't actually accessible, but you can browse through all the folders of the main server by putting in "/". If it is intentional then I don't see the logic. Before it was much easier to browse through FTP server folders, as I had a main user for just backups and so I could backup the main site files and another folder for sql backups, and so on. I realize I can just type in the path, but i'm lazy. And just to explain further once you hit return after putting in the path in the FTP folder path it brings up the browse dialog.

Friday, 06 November 2015 10:48 CST

nicholas
Hello Jeremy,

The folder browser, used for the Output Directory, can browse every single folder that your host has made visible to your site's user on your server. Please remember that we are NOT your host and we can't be possibly be held liable for security issues that have to do with the server setup. I would also like to remind you that even if we basically blatantly lied to you and forbade you to browse to top level directories an actual hacker who uploads an exploit kit (like C99) can still access those folders. So yeah, there is that security issue, but it's coming from how your host has set up their server, not how our software works. Do note that it's only visible to Super Users, the same people who can install eXtplorer that also does the same – or, worse, install any kind of executable code including exploits which can do MUCH more malicious things than produce a directory listing. If you do not blindly trust someone do NOT give them Super User access!!!!!!!!!!!!

As for why show all the folders: please read the security chapter. It makes security sense to put the output directory outside the web root. Ideally, you should put it somewhere as far removed from the server as possible. On SHARED hosting this means a subdirectory of the site root's parent directory. Having ONLY that in mind you are semi-correct in saying that top level directories should not be visible. However this is NOT the case on dedicated servers. Typically the web root of the (one and only hosted) web site is /var/www/html, with the /var/www and /var folders being intentionally unreadable and unwriteable by the unprivileged user the web server runs under. This means that a good location for the backup folder would be an arbitrary top level directory such as /backups. And that's why you have to be allowed to enter top level directories on the browser popup.

As for why ENTER brings up the directory browser for the Output Directory: pressing ENTER anywhere in the form always triggers the first click handler on the form which happens to be the Directory Browser for the Output Directory. I have tried to work around it but it breaks other things. However, that's simply mildly annoying. I would recommend not pressing ENTER on web forms you do not intend to submit anyway.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 06 November 2015 11:38 CST

kkevents
Hi Nicholas,

All understood, I would expect that in the "Output Directory" to browse the local server. I'm not implying that you are creating a security issue directly, but it seems like you should not be able to browse above the public_html area from joomla. Just my opinion, I realize there are simple ways for even non-educated hackers to get anywhere on the server if it is not setup correctly.

So my question, is it intentional that the "Post-processing engine"-"upload to remote processing"- "initial directory" shows the "Output Directory" on the Joomla server and does not browse the FTP server directory any longer? It seemed like a bug. Or did I just miss the whole point of the browse button not being there any longer and you didn't want people to be able to browse the remote FTP server anylonger? Which is fine if that is the case, like I said i'm lazy and didn't want to have to double check the directory path on the FTP before putting it into Akeeba. I just figured that something on my Joomla install broke something in Akeeba that made the browse button go away.

Thanks for your reply

Friday, 06 November 2015 12:18 CST

nicholas
I'm not implying that you are creating a security issue directly, but it seems like you should not be able to browse above the public_html area from joomla.


I explained why it's possible and why it's necessary. Please do read the Security Information chapter in our documentation. Your impression is based on a very false idea of what security means.

Hint: if you put your backups in a predictable directory you make hackers' life MUCH easier in their attempt to compromise your site.

Just my opinion, I realize there are simple ways for even non-educated hackers to get anywhere on the server if it is not setup correctly.


Let me repeat that in order to see that page you need to ALREADY BE A SUPER USER. In other words, you must already be GOD. If you are God there are MUCH better things to do with your infinite power than look at a directory listing that does NOT list files and does NOT allow you to read files.

Hint: I have made a Joomla! component installation which can be "installed" through Extensions, Manager. It will install a C99 script in a predictable but non-obvious URL and immediately remove all traces that this package was ever installed. I did that as a proof of concept, proving that if you give Super User access to someone untrusted they CAN hack your site in a way that you will be none the wiser for a very, VERY long time.

So my question, is it intentional that the "Post-processing engine"-"upload to remote processing"- "initial directory" shows the "Output Directory" on the Joomla server and does not browse the FTP server directory any longer? It seemed like a bug


As I explained it's neither intentional nor a bug. Pressing ENTER anywhere in the form (NOT necessarily in the FTP fields) always triggers the first click handler on the form. It happens to be the Directory Browser for the Output Directory field.

I have tried to work around it but it breaks other things. However, that's simply mildly annoying. I would recommend not pressing ENTER on web forms you do not intend to submit anyway.

Or did I just miss the whole point of the browse button not being there any longer and you didn't want people to be able to browse the remote FTP server anylonger?


Yep, you did :) The FTP browser didn't work with all FTP servers. Over the years we found out that each server implementation returns a completely different format for the directory listing. Trying to support all of them was nigh impossible with our limited resources so the only reasonable course of action was to remove that feature altogether.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 06 November 2015 12:30 CST

kkevents
Thanks for all your lengthy explanations, as i already know most of that in basic sense. And thank you for answering my main question of if you could browse the FTP directory or not:

This reply was all I was after.


The FTP browser didn't work with all FTP servers. Over the years we found out that each server implementation returns a completely different format for the directory listing. Trying to support all of them was nigh impossible with our limited resources so the only reasonable course of action was to remove that feature altogether.


I'm sure you can understand how I would think it was a bug when the FTP documentation still showed the browse button there.

Thanks again for your always most educational reply. Have a wonderful day.
Edited by kkevents on 2015-11-06 12:39 CST

Friday, 06 November 2015 12:49 CST

nicholas
Thank you very much for the feedback! I missed the documentation which needs changing. Have a nice weekend :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!