Greg Rundlett wrote:
My website was just defaced, and I have not yet had a chance to investigate the exact causes. The script-kiddie was able to upload a php shell creation script + php-explorer and others.
I installed mediawiki in the last two weeks, and the folder is now gone. I'm wondering if mediawiki is known to be secure with allow_url_fopen set to on?
MediaWiki explicitly sets allow_url_fopen to off on the main entry point, and we've made some effort to be careful about includes and whatnot when calling the other files.
As far as I know, it should be safe.
I notice you posted a note about uploading a couple weeks ago; was uploading allowed on your wiki? The default configuration when uploading is enabled uses an extension whitelist which should prevent executable PHP scripts from being uploaded, but if Apache wasn't configured to prevent running of scripts in the upload directory it's conceivable that there's a way to get things through it with a pathological filename. If this is the case there should be some evidence in the httpd logs.
Are there any known vulnerabilities in mediawiki? I do not know the exact vulnerability that caused my site to be owned, and there may have been mulitple vulnerabilitites, I'm just asking what if any info you might have in this regard.
I'm not aware of any PHP insertion vulnerabilities in the current 1.2 or 1.3 release versions, but if you find any *please* let us know.
-- brion vibber (brion @ pobox.com)