I've just installed and configured MediaWiki for the first time and so far everything has been functioning smoothly. However, I've noticed that I'm able to browse to a specific file or directory within the public directory, for example I'm able to bring up my LocalSettings file or browse to the /bin area.
Now, the average visitor will probably not have any knowledge of MediaWiki and where files and directories are placed, but someone who does know could very well navigate their way around. One solution could be to place index.html files in the other directories and to customize server permissions for individual files and directories, but this seems unnecessary and still doesn't solve the issue of security considering that other wikis such as Wikipedia, Wikinfo, etc. do not appear to do this and keep visitors strictly within the wiki environment.
What do I need to do in order to configure the server and/or wiki to function like that? I've looked through much of the MediaWiki documentation and all I can find concerning the issues of security and permissions are those that relate to the wiki itself, and not the web server. There's no information about what to do with the files and directories in order to mask them from the public. Any help would be greatly appreciated.
Thank you. --------------------------------- Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.
coldwaveindustry@yahoo.com wrote:
I've just installed and configured MediaWiki for the first time and so far everything has been functioning smoothly. However, I've noticed that I'm able to browse to a specific file or directory within the public directory, for example I'm able to bring up my LocalSettings file or browse to the /bin area.
Please see the documentation for your web server if you wish to change this.
Note that MediaWiki is open source, so there's little benefit to "seeing" these files. ;)
-- brion vibber (brion @ pobox.com)
On 5/6/06, Brion Vibber brion@pobox.com wrote:
Note that MediaWiki is open source, so there's little benefit to "seeing" these files. ;)
Well there are some things in LocalSettings.php (e.g. MySql config stuff) that I might not want others to see. -- Rick DeNatale
IPMS/USA Region 12 Coordinator http://ipmsr12.denhaven2.com/
Visit the Project Mercury Wiki Site http://www.mercuryspacecraft.com/
Rick DeNatale wrote:
On 5/6/06, Brion Vibber brion@pobox.com wrote:
Note that MediaWiki is open source, so there's little benefit to "seeing" these files. ;)
Well there are some things in LocalSettings.php (e.g. MySql config stuff) that I might not want others to see.
I think that was a given ;) Filip
Rick DeNatale wrote:
On 5/6/06, Brion Vibber brion@pobox.com wrote:
Note that MediaWiki is open source, so there's little benefit to "seeing" these files. ;)
Well there are some things in LocalSettings.php (e.g. MySql config stuff) that I might not want others to see.
And they can't see it, since the PHP is executed and nothing is output to the browser.
-- brion vibber (brion @ pobox.com)
I hope this goes through, I've had tons of trouble submitting to this list in the past (am I supposed to put "[Mediawiki-l] " in the subject myself?)
All of a sudden, my users are confused because my MediaWiki:Nogomatch message ( http://meta.enterwiki.net/page/MediaWiki:Nogomatch ) isn't transcluding at the top of Special:Search - much of my noobie documentation I wrote used Special:Search as a recourse to help them create a new page when it was necessary to do so (type the page name in the search box, hit enter, and click 'create this article' at the top of the ensuing page). I don't often use search myself so I didn't notice till I had a user complain that this was missing, and it can't have happened except in the upgrade to 1.6.x - how do I re-enable this? It seems like it should totally be there; I checked 1.6.x's SpecialSearch.php and it still adds it to wgOut after there are no auto-redirect-after-search matches - so why isn't it appearing?
Moin,
On Monday 08 May 2006 00:58, Rick DeNatale wrote:
On 5/6/06, Brion Vibber brion@pobox.com wrote:
Note that MediaWiki is open source, so there's little benefit to "seeing" these files. ;)
Well there are some things in LocalSettings.php (e.g. MySql config stuff) that I might not want others to see.
When using Apache, add a .htaccess file with the contents:
Deny from all
(Although you need to take care that this doesn't involve subdirectories, like the skins, images etc. These then need their own .htaccess files with Allow from all
in them, or the CSS files and images won't show up. For details, see the manual of your webbrowser.
Best wishes,
Tels
On 08/05/06, Tels nospam-abuse@bloodgate.com wrote:
Moin,
On Monday 08 May 2006 00:58, Rick DeNatale wrote:
On 5/6/06, Brion Vibber brion@pobox.com wrote:
Note that MediaWiki is open source, so there's little benefit to "seeing" these files. ;)
Well there are some things in LocalSettings.php (e.g. MySql config stuff) that I might not want others to see.
When using Apache, add a .htaccess file with the contents:
Deny from all
Yes, a .htaccess in the wiki root with that in will stop it being used. Meanwhile, MediaWiki should come with some such files in specific directories, e.g. includes and maintenance.
Rob Church
This might be of interest.
"Consider moving the database password or other potentially sensitive data from LocalSettings.php to another file located outside of the web document root, and include()ing that file from LocalSettings.php. This can help to ensure that your database password will not be compromised if a web server configuration error disables PHP execution and reveals the file's source text."
http://meta.wikimedia.org/wiki/Documentation:Security#Alternate_file_layout
-----Original Message----- From: Rob Church [mailto:robchur@gmail.com] Sent: Monday, May 08, 2006 9:52 AM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Security issues with directories
On 08/05/06, Tels nospam-abuse@bloodgate.com wrote:
Moin,
On Monday 08 May 2006 00:58, Rick DeNatale wrote:
On 5/6/06, Brion Vibber brion@pobox.com wrote:
Note that MediaWiki is open source, so there's little benefit to "seeing" these files. ;)
Well there are some things in LocalSettings.php (e.g. MySql config stuff) that I might not want others to see.
When using Apache, add a .htaccess file with the contents:
Deny from all
Yes, a .htaccess in the wiki root with that in will stop it being used. Meanwhile, MediaWiki should come with some such files in specific directories, e.g. includes and maintenance.
Rob Church _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org