[MediaWiki-l] Any security problems involved in letting administrators edit LocalSettings.php via a wiki page?

Brian Wolff bawolff at gmail.com
Sat Jul 1 23:04:54 UTC 2017


Even ignoring the security issues, if one of your users makes a typo, they
take down the site and they cannot revert because the site is then down.

>From a security prespective, this is equivalent to giving your users shell
access to your server. They can run any arbitrary program, do anything,
insert backdoors, etc. Additionally this setup requires the web user to
have write access to php enabled web directories which is also bad practise.

--
bawolff

On Saturday, July 1, 2017, Legoktm <legoktm.wikipedia at gmail.com> wrote:
> On 07/01/2017 03:16 PM, Jean Valjean wrote:
>> I want to let some of my administrators (in the wizards group) edit
>> LocalSettings.php, so I used this snippet, which allows them to make
>> changes by editing the Project:Shared_config.php page. Then I protected
the
>> page so that only wizards can edit it. Do you think this presents any
>> security issues?
>
> Yes, it presents a huge security issue. Anyone who can modify your
> LocalSettings.php can execute arbitrary PHP code. They could see any
> private data in your database, easily get passwords, or even potentially
> give themselves server access.
>
> I would highly recommend NOT doing this.
>
> -- Legoktm
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


More information about the MediaWiki-l mailing list