On 25/9/20 5:34 am, Jeffrey Walton wrote:
Hi Everyone,
Our site is at https://www.cryptopp.com/wiki.
Since the Mediawiki 1.34.3 upgrade, the wiki serves each page with the following at the top:
<br /> <b>Warning</b>: php_uname() has been disabled for security reasons in <b>/var/www/html/w/includes/GlobalFunctions.php</b> on line <b>1333</b><br /> <!DOCTYPE html> <html class="client-nojs" lang="en" dir="ltr"> <head> ...
Any ideas how to fix things?
Set $wgOverrideHostname.
The calls to php_uname('s') could be replaced by PHP_OS_FAMILY. That would be a patch suitable for upstream.
On 25/9/20 8:00 am, Valerio Bozzolan via MediaWiki-l wrote:
I like people who harden shared hosting environments but I do not understand how restricting yourself should give you any pratical security advantage.
I'm not aware of any security concern involving php_uname(). Are you?
It can be used to obtain the version of the operating system being used, which could in turn be used to obtain the exact binaries being used, which makes heap overflow attacks and the like easier.
If that's the level of paranoia you're at, you should probably also disable Special:Version, which is routinely crawled and can be used to rapidly exploit vulnerable MediaWiki installations after a vulnerability is announced. In LocalSettings.php:
$wgSpecialPages['Version'] = DisabledSpecialPage::getCallback( 'Version' );
-- Tim Starling