On 25/9/20 5:34 am, Jeffrey Walton wrote:
Hi Everyone,
Our site is at
https://www.cryptopp.com/wiki.
Since the Mediawiki 1.34.3 upgrade, the wiki serves each page with the
following at the top:
<br />
<b>Warning</b>: php_uname() has been disabled for security reasons in
<b>/var/www/html/w/includes/GlobalFunctions.php</b> on line
<b>1333</b><br />
<!DOCTYPE html>
<html class="client-nojs" lang="en" dir="ltr">
<head>
...
Any ideas how to fix things?
Set $wgOverrideHostname.
The calls to php_uname('s') could be replaced by PHP_OS_FAMILY. That
would be a patch suitable for upstream.
On 25/9/20 8:00 am, Valerio Bozzolan via MediaWiki-l wrote:
I like people who harden shared hosting environments
but I do not understand how restricting yourself should give you any pratical security
advantage.
I'm not aware of any security concern involving php_uname(). Are you?
It can be used to obtain the version of the operating system being
used, which could in turn be used to obtain the exact binaries being
used, which makes heap overflow attacks and the like easier.
If that's the level of paranoia you're at, you should probably also
disable Special:Version, which is routinely crawled and can be used to
rapidly exploit vulnerable MediaWiki installations after a
vulnerability is announced. In LocalSettings.php:
$wgSpecialPages['Version'] = DisabledSpecialPage::getCallback(
'Version' );
-- Tim Starling