It's not a very good design, security-wise, for included php files to be within the web document root. See http://meta.wikimedia.org/wiki/Documentation:Security#Alternate_file_layout. That said, this situation alone does not seem to be an exploitable security problem.
Personally I've moved all the included files outside the document root. Mediawiki wasn't designed for this, so I do a chdir() at the top of each directly accessed php file. This hasn't been tested very well, might not work right, and might present security problems of its own. The proper solution would be for the Mediawiki developers to explicitly design the wiki software to run in this way, possibly as an option if there is some particular reason, but I don't see what that reason could be.
Anthony
On 9/2/05, dug dalford@mindleaders.com wrote:
I've noticed that the admin password to the mySQL db is included in plain text in the LocalSettings.php file in my Wiki directory, which is set to 755, readable and executable by the world. Am I being paranoid, or is this a slightly insecure situation?
Can the password be encrypted, or is there some other security measure I should take?
TIA --doug
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l