Support

Akeeba Backup for Joomla!

#32833 Update 7.1.3 BUG

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by eric.mennier on Friday, 10 April 2020 04:22 CDT

Friday, 10 April 2020 02:25 CDT

eric.mennier
With the last update 7.1.13 I have an error message on backup interface :

Akeeba Backup is ready to backup your site, but there are potential issues

Default output directory in use

I never have this message.

I look this topic : https://www.akeebabackup.com/documentation/warnings/q203.html nut the problem persist again.
Regards.

Friday, 10 April 2020 03:59 CDT

nicholas
First, a very important correction since this is a public ticket.

This is NOT a bug. It is a FIX for a bug.

Using the default backup output directory was always a bad idea, as I had written in the Security Information chapter of Akeeba Backup since 2007. While there has always been this warning in place, a bug introduced around version 5.0, if I remember correctly, prevented it from being displayed at all. Therefore people wouldn't know about the risk regarding the use of the default backup output directory.

If you read the page, you know that the best solution is to create a new directory for your backups and modify each and every backup profile to point their Output Directory there. This will make the warning go away.

Also note that if you do not get an error (red box) about your backup output directory being web accessible you can ignore this warning BUT be advised that it's still a bad idea using the default backup directory. You are one server configuration mishap away from unwittingly letting attackers gain access to your backup archives over the web without authentication.

This is one of those things that you're damned if you do and damned if you don't as a developer. Having a default backup output directory is necessary for new users to be able to use the software without having to do some confusing setup that might be above their knowledge level. However, using a default backup output directory makes it easier for hackers to target the backup archives. Telling users about it may be frustrating (as you found out) but not telling you makes the more experienced users and security people allege that we don't care about the security for our users.

The thing is I DO very deeply care about the security of my users and I've made it the banner I fight under since my first public software release. I'd rather people be annoyed at me for taking the extra steps to make their sites safe rather than for putting them at risk. Considering what we read in the news, about companies putting profit over security, I think my approach is better and more honest. But I digress.

If you have already changed your backup output directory in all of your backup profile and STILL get this warning let me know, that would be a bug. If you have questions about why using the default backup output directory is bad that were not answered in the page you read, ask me, I'll be happy to explain.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 10 April 2020 04:22 CDT

eric.mennier
Ok Nicholas, thanks for your reply.
Generally, no archhive stay on the server because i make a distant backup, but i make the change of defaut backup.
Regards.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!