Ciao di nuovo
credo di aver trovato il nocciolo della questione. riporto qui le istruzioni date dal fornitore di Joomlapack sulla sicurezza delle cartelle per il backup:
il link è questo:http://www.joomlapack.net/help-support-documentation/joomlapack-2x-documentation/miscinfo-security.html
Security concerns
Access rights
As with every software which can access your site as a whole, JoomlaPack needs to control who's got access to its backup functionality. Due to the lack of a thorough ACL mechanism in Joomla!, we have decided to make the administrator (back end) of this component available to the Super Administrators only. This group of people already has infinite access to the access, making them the ideal candidate for backup operators.
The front end backup feature is a different story. Since it has to be available to unattended scripts, a different approach was taken. Instead of requiring the user to have logged in with Joomla! it uses a simple "secret word" authentication model. Because this "secret word" is transmitted in clear text we strongly advise against using it over anything else than a local network (for example, an automated tool running on the same host as the web server). If you have to use it over the Internet we strongly advise using a secure protocol connection (HTTPS) with a valid commercially acquired certificate.
If - for whatever reason - you want to relax the restriction to the Super Administrators group, you'll have to directly edit the JoomlaPack code. We shouldn't give generic advice on this matter; each case will be somewhat difference according to our experience. If you really want to do something like that and you are sure you understand the risks, just make a post over our support forum.
Securing access to the backup output and temporary directories
About the temporary directory
JoomlaPack 1.3 onwards is using the same temporary directory as Joomla!. This is normally a directory named "tmp" on your site's root. The temporary files are short-lived, unless a fatal PHP error or a loss of connection abruptly halts JoomlaPack's operation. In this case, the temporary file will not be deleted before a new backup is attempted, or you visit the JoomlaPack Control Panel page.
[Important] Important
The only temporary files JoomlaPack uses are database dumps. Unauthorised access to them can lead to leakage of sensitive information or could be used to facilitate compromising your site's integrity.
To this end, it is sane to restrict the access to the temporary directory. If you can't use an off-site temporary directory, we srongly advice disabling direct web access to this directory. This can be done by creating an .htaccess file on the directory with the following contents:
deny from all
Securing the backup output directory
By default JoomlaPack uses a non secure location to store its backup files, within your site's file system hierarchy, namely administrator/components/com_joomlapack/backup. This location is well known and can be accessed directly from a web browser. Since the backup output directory stores the results of your backup attempts, that is SQL files containing database backups and archive files containing all of your site, a malicious person with access to this location could steal sensitive information or compromise your site's integrity.
The first line of defense, employed by JoomlaPack 1.2.1 onwards, is to use mangled, hard to guess, names for the SQL backup. However, in the era of multi-MBPS xDSL Internet connections and scripting, it wouldn't take an attacker that long to figure out the filename. Remember: security through obscurity is no security at all!
As a second line of defense, JoomlaPack includes a secure .htaccess on the default backup output directory to disable direct web access. However, this is only possible on Apache-powered web servers which allow the use of .htaccess files. You should check with your host to ensure that this kind of protection is possible on your site.
However, this is not enough. Security expoerts argue that storing backups within the potentially vulnerable system itself might be a security risk. It is possible that a malicious person could gain access via other means. Think of a simple scenario. You have an Administrator with a weak password a hacker eventually guesses. Now the hacker can log in to your site, but doesn't have access to JoomlaPack. Despite that, you have installed a file administration component which allows administrators to browse the site's file system and download files. How long would it take before your site got compromised? Right. Not very long indeed!
The best approach is to use a directory which is outside your web server's root. By definition, this is not directly exposed to the web and is usually unavailable to file administration utilities.
credo che la parte che mi interessi sia quella che ho evidenziato ma rimane per me arabo la procedura da eseguire.
grazie ancora
