Greg Rundlett wrote:
My website was just defaced, and I have not yet had a
chance to
investigate the exact causes. The script-kiddie was able to upload a
php shell creation script + php-explorer and others.
I installed mediawiki in the last two weeks, and the folder is now
gone. I'm wondering if mediawiki is known to be secure with
allow_url_fopen set to on?
MediaWiki explicitly sets allow_url_fopen to off on the main entry
point, and we've made some effort to be careful about includes and
whatnot when calling the other files.
As far as I know, it should be safe.
I notice you posted a note about uploading a couple weeks ago; was
uploading allowed on your wiki? The default configuration when uploading
is enabled uses an extension whitelist which should prevent executable
PHP scripts from being uploaded, but if Apache wasn't configured to
prevent running of scripts in the upload directory it's conceivable that
there's a way to get things through it with a pathological filename. If
this is the case there should be some evidence in the httpd logs.
Are there any known vulnerabilities in
mediawiki? I do not know the exact vulnerability that caused my site to
be owned, and there may have been mulitple vulnerabilitites, I'm just
asking what if any info you might have in this regard.
I'm not aware of any PHP insertion vulnerabilities in the current 1.2 or
1.3 release versions, but if you find any *please* let us know.
-- brion vibber (brion @
pobox.com)