Hi to all, I am not a web security expert, but I am really concerned about this issue and I have some questions and ideas about it.
Recently I have performed an Opengoo hosting migration, and I could download the backup package directly from my server using wget. The point is that the backup package name is generic, so If i don't remove the backup files after their creation, everyone with a minimum knowledge about Opengoo could get my backups. This is a real problem when the backup file contains the DB, and the files on the server. I think that this issue could be solved with one of these (or both) simple actions:
1) Adding a password to the files (This would really make the point)
2) Asking the opengoo Administrator for a different backup filename.
What do you think?