is path of DbBackups secure

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
1 year ago
Hi,
is path of DbBackups secure ?
Isn't it a security vulnerability to be under wwwroot?
beginner
0
1 year ago
there is no answer ?

public static string DbBackupsPath => "db_backups\\";

wwwroot\db_backups

Doesn't it create a security vulnerability?
beginner
0
1 year ago
The ASP.NET Core templates call UseStaticFiles before calling UseAuthorization. Most apps follow this pattern. When the Static File Middleware is called before the authorization middleware:
-No authorization checks are performed on the static files.
-Static files served by the Static File Middleware, such as those under wwwroot, are publicly accessible.

But in nopCommerce, there is customization for static files. dp_backups folder needs maintenance permission to get access
Please see the code from the image.
Regards,
Tanzim Siddiqee
2
1 year ago
how safe is it that the backup folder is the internet accessible folder by default? wwwroot/db_backups
beginner
0
1 year ago
The default directory is {content root}/wwwroot, but it can be changed with the UseWebRoot method.
Any of the project directories can be accessible if you configure them.
We can say it another way, No directory can be accessible if you don't give access.

Please check the document;
Static files in ASP.NET Core https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0
Regards,
Tanzim Siddiqee
0
1 year ago
I mean the backup should not be in the folder open on the internet... How logical is it to put a backup folder in a folder that everyone can access from the web.
it must be in App_Data
public static string DbBackupsPath => "..\\App_Data\\";
beginner
0
1 year ago
suatsuphi wrote:
everyone can access

That's not true. Everyone doesn't have access to it. Please see the reply from tanzimsiddiqee above. You need the maintenance permission to get access to this folder (so administrators can download a backup)
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
1 year ago
This is url of backup folder:
https://demo.nopcommerce.com/db_backups/index.htm

This is backup file structure:
database_2023-03-21-13-12-22_4297735156.bak

if you know backup files name, can we download that file?
https://demo.nopcommerce.com/db_backups/database_2023-03-21-13-12-22_4297735156.bak
beginner
0
1 year ago
suatsuphi wrote:
if you know backup files name, can we download that file?

No. Only administrators with the maintenance permission can do that.
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
1
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.