DMC Firewall Security Issue - version 1.3 and below
It was reported to us that the backed-up version of either the '.htaccess' or 'web.config' file was publicly reachable by going to 'yourdomain.com/backup.htaccess' or 'yourdomain.com/backup.web.config' - exposing any custom rules that you may have set.
When was the backup created?
The backup was created when you either installed or updated DMC Firewall when you had a '.htaccess' or 'web.config' file in the root of your web-space and our edits wen't already present in your server file. During the installation/update routines, DMC Firewall makes a number of edits to your server file but before these edits are made - a backup is made just in case something goes wrong.
What have you done to fix this
DMC Firewall 1.4 addresses this issue by moving the backed-up version into a separate 'backups' folder located within 'administrator/components/com_dmcfirewall/backups' with the date and time (yyyy-mm-dd-hh-mm-ss) that update DMC Firewall (backup.htaccess-2016-04-10-15-00-00). Access to this folders content is blocked with '.htaccess/web.config' rules - any one that tries to access this folder/content within it will be presented with a '403 Forbidden' message.
We recommend everyone to update to DMC Firewall 1.4