[MediaWiki-l] Any security problems involved in letting administrators edit LocalSettings.php via a wiki page?

Legoktm legoktm.wikipedia at gmail.com
Sat Jul 1 22:57:15 UTC 2017


On 07/01/2017 03:16 PM, Jean Valjean wrote:
> I want to let some of my administrators (in the wizards group) edit
> LocalSettings.php, so I used this snippet, which allows them to make
> changes by editing the Project:Shared_config.php page. Then I protected the
> page so that only wizards can edit it. Do you think this presents any
> security issues?

Yes, it presents a huge security issue. Anyone who can modify your
LocalSettings.php can execute arbitrary PHP code. They could see any
private data in your database, easily get passwords, or even potentially
give themselves server access.

I would highly recommend NOT doing this.

-- Legoktm



More information about the MediaWiki-l mailing list