• Folks, becareful when using this plugin.

    I am sure the DEVELOPER KNOWS this as well. This plugin maybe a good plugin but there is one BIG PROBLEM WITH.

    The plugin will place a file called

    myEASYrestore.ini

    in the home directory.

    Everybody knows that this file can be accessed by anyone.

    The plugin also has a good way of notifying the developer who uses the plugin. So, everytime you use this plugin the developers site is notified via a graphic reference.

    What this means is that the developer being a developer is tracking who is executing this plugin.

    BUT THE WAY THIS PLUGIN IS CREATED IT SHOWS ME THAT THERE ARE inauspicious MOTIVES BEHIND THE DEVELOPMENT.

    tHE KEYWORD HERE TO NOTE IS THAT YOUR LOVELY WORDPRESS SITE CAN BE

    —-HACKED—— BY THE DEVELOPER QUITE EASILY!

    [phrase moderated]

    https://www.ads-software.com/extend/plugins/myeasybackup/

Viewing 3 replies - 1 through 3 (of 3 total)
  • If you think I am interested in hacking anyone site you are totally on the wrong way, “Sir”.

    My good faith was clearly shown when I promptly fixed another security issue as soon as another user – ShinePHP – kindly reported about it.

    Its curious to see how the effort one puts trying to make others life easier can be misunderstood by someone.

    About the “myEASYrestore.ini” file
    I created the .ini file only to make the restore tool able to edit the wp-config.php file while migrating to a different server (and make users life easier).

    The .ini file is promptly removed after the restore process is successfully completed.

    I have now fixed this issue (since version 0.1.0) by changing the .ini file name to myEASYrestore_ini.php and adding the following code in the first line:
    <?php return; ?>

    This way nobody can see its contents anymore.

    If anyone thinks that after this modification there is still a security issue just let me know and I will edit the code to make the new ini file optional.

    About “notifying the developer who uses the plugin”
    Again, there must be something in the code that I have inserted in good faith and that this “Sir” is getting the wrong way.

    Simply let me know what part of the code is notifying me and I will promptly remove it.

    About your behaviour
    You are the one in bad faith not me! Your way to comment my effort (released to everyone for free!) make me think you fall in one of the following categories:

    1. you are totally immature
    2. you are envious
    3. you wrote a similar plugin but nobody wants it

    Next time you like to comment anyone else work I warmly suggest you to use a different attitude: if you really think I am trying to hack other’s sites by publishing open source code in this kind of environment it is totally clear that, between us, the idiot is surely not me…

    After post I had made about myeasybackup plugin vulnerability at February 28th, 2010 I emailed with Ugo (myeasybackup plugin author) some time and I’m sure he is a real professional. If some problem appears in his plugin it is a normal process for every new product with enthusiastic author. Author build the functionality, makes plugin better, users and other developers test it, discover some issues and make feedback. Professional developer resolves problems ASAP as Ugo does it.
    I walked through the 0.1.0 version code today and confirm that mentioned problem with myeasybackup.ini file was resolved in this version. Blog credentials needed to restore blog data from the backup copy is stored now as reliably as WordPress itself does it with its own wp-config.php configuration file.

    Another issue from aggressive post above: myeasybackup plugin uses a few images which are hosted at Ugo’s myeasywp.com site. Yes he can know what sites use his plugin with that. Is it bad? I think no it is not. There are much more efficient and more hidden from the most of the users ways to get that information. It is just a favour from his side, I think.
    Let’s support Ugo for his continued efforts to make WordPress bloggers life easier and better. I will rate this plugin +5 just now :).

    There are always some that have to rain on others parade. Specifically I refer to johndogan. My question to you Sir is this, did you bring up your concern directly with Ugo or was this something you wished to post so as to create doubt in the use of myEASYbackup plugin?

    I too had an issue with the installation starting with v0.0.7. I promptly contacted Ugo directly and advised him of my issue. As it turned out one was with my host provider and another was with IE. Ugo confirmed the problem quickly and professionally to me, and was able to resolve both issues for me, as you see we are now at v0.1.0.

    I am not a developer let alone a programmer and appreciated Ugo’s willingness to help and resolve my issues.

    I also thank you for pointing out the fact that there was a security issue which I would have never caught on my own, but I agree with shinephp that your concerns could have been handled more professionally.

    As a non-programmer I am grateful for this plugin and to Ugo’s professionalism in handling the problems for me, so much so that I have donated to the cause, and suggest you do likewise unless you have a better plugin to offer, in which case let me try it and criticize it as you have done here.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: myEASYbackup] BE-AWARE this Pluggin exposes MYSQL PASSWORD’ is closed to new replies.