[Mediawiki-l] encrypt mySQL password?
Anthony DiPierro
wikispam at inbox.org
Sat Sep 3 19:04:36 UTC 2005
It's not a very good design, security-wise, for included php files to be
within the web document root. See
http://meta.wikimedia.org/wiki/Documentation:Security#Alternate_file_layout.
That said, this situation alone does not seem to be an exploitable security
problem.
Personally I've moved all the included files outside the document root.
Mediawiki wasn't designed for this, so I do a chdir() at the top of each
directly accessed php file. This hasn't been tested very well, might not
work right, and might present security problems of its own. The proper
solution would be for the Mediawiki developers to explicitly design the wiki
software to run in this way, possibly as an option if there is some
particular reason, but I don't see what that reason could be.
Anthony
On 9/2/05, dug <dalford at mindleaders.com> wrote:
>
> I've noticed that the admin password to the mySQL db is included in plain
> text in the LocalSettings.php file in my Wiki directory, which is set to
> 755, readable and executable by the world. Am I being paranoid, or is this
> a
> slightly insecure situation?
>
> Can the password be encrypted, or is there some other security measure I
> should take?
>
> TIA
> --doug
>
>
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at Wikimedia.org
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
More information about the MediaWiki-l
mailing list