[Mediawiki-l] site defaced
Brion Vibber
brion at pobox.com
Fri Aug 6 18:52:23 UTC 2004
Greg Rundlett wrote:
> My website was just defaced, and I have not yet had a chance to
> investigate the exact causes. The script-kiddie was able to upload a
> php shell creation script + php-explorer and others.
>
> I installed mediawiki in the last two weeks, and the folder is now
> gone. I'm wondering if mediawiki is known to be secure with
> allow_url_fopen set to on?
MediaWiki explicitly sets allow_url_fopen to off on the main entry
point, and we've made some effort to be careful about includes and
whatnot when calling the other files.
As far as I know, it should be safe.
I notice you posted a note about uploading a couple weeks ago; was
uploading allowed on your wiki? The default configuration when uploading
is enabled uses an extension whitelist which should prevent executable
PHP scripts from being uploaded, but if Apache wasn't configured to
prevent running of scripts in the upload directory it's conceivable that
there's a way to get things through it with a pathological filename. If
this is the case there should be some evidence in the httpd logs.
> Are there any known vulnerabilities in
> mediawiki? I do not know the exact vulnerability that caused my site to
> be owned, and there may have been mulitple vulnerabilitites, I'm just
> asking what if any info you might have in this regard.
I'm not aware of any PHP insertion vulnerabilities in the current 1.2 or
1.3 release versions, but if you find any *please* let us know.
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20040806/48e343d1/attachment.pgp
More information about the MediaWiki-l
mailing list