[MediaWiki-l] Any security problems involved in letting administrators edit LocalSettings.php via a wiki page?
bawolff at gmail.com
Sat Jul 1 23:32:48 UTC 2017
Most people just use a git repo for version controlling their
If you really really want to do this onwiki approach, try verifying the
file with `php -l` before saving.
On Saturday, July 1, 2017, Jean Valjean <jeanvaljean2718 at gmail.com> wrote:
> Yeah, that's already happened a few times (typo taking the site down).
> I did on another wiki farm was have one wiki in charge of the other wiki's
> config files, so that if you messed up LocalSettings.php, it wouldn't take
> down the wiki that was modifying it.
> My goal was to have some sort of version control system in place so that
> different people are changing the files, we know who did what when, and
> revert easily to a previous version.
> On Sat, Jul 1, 2017 at 7:04 PM, Brian Wolff <bawolff at gmail.com> wrote:
>> Even ignoring the security issues, if one of your users makes a typo,
>> take down the site and they cannot revert because the site is then down.
>> From a security prespective, this is equivalent to giving your users
>> access to your server. They can run any arbitrary program, do anything,
>> insert backdoors, etc. Additionally this setup requires the web user to
>> have write access to php enabled web directories which is also bad
>> On Saturday, July 1, 2017, Legoktm <legoktm.wikipedia at gmail.com> wrote:
>> > On 07/01/2017 03:16 PM, Jean Valjean wrote:
>> >> I want to let some of my administrators (in the wizards group) edit
>> >> LocalSettings.php, so I used this snippet, which allows them to make
>> >> changes by editing the Project:Shared_config.php page. Then I
>> >> page so that only wizards can edit it. Do you think this presents any
>> >> security issues?
>> > Yes, it presents a huge security issue. Anyone who can modify your
>> > LocalSettings.php can execute arbitrary PHP code. They could see any
>> > private data in your database, easily get passwords, or even
>> > give themselves server access.
>> > I would highly recommend NOT doing this.
>> > -- Legoktm
>> > _______________________________________________
>> > MediaWiki-l mailing list
>> > To unsubscribe, go to:
>> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>> MediaWiki-l mailing list
>> To unsubscribe, go to:
> MediaWiki-l mailing list
> To unsubscribe, go to:
More information about the MediaWiki-l