[MediaWiki-l] Any security problems involved in letting administrators edit LocalSettings.php via a wiki page?

jayvdb at gmail.com jayvdb at gmail.com
Sun Jul 2 04:42:48 UTC 2017


If you are going to do this anyway, despite the warnings given, use some
regex to strictly find all function & method invocations and only allow a
very small whitelisted set. Err on the side of caution with the regex
finding too many matches including false positives.

On Sun, 2 Jul 2017 07:57 Jean Valjean <jeanvaljean2718 at gmail.com> wrote:

> Well it does have a certain coolness factor to do everything through the
> wiki. It's kind of like how Mark Zuckerberg wanted Facebookers to be able
> to do everything they needed to do on the web without leaving Facebook.
> Facebook would have email, messaging, games, video, search, and even
> Wikipedia articles!
>
> https://thenextweb.com/opinion/2015/03/25/facebook-has-officially-declared-it-wants-to-own-every-single-thing-you-do-on-the-internet
>
> But why should Zuck be the only one to have such grand, sweeping ambitions?
> Once MediaWiki becomes powerful enough, it can kill all other apps and rule
> the world! http://www.npr.org/sections/alltechconsidered/2016/04/13/
> 474011009/facebooks-new-master-plan-kill-other-apps
> <http://www.npr.org/sections/alltechconsidered/2016/04/13/474011009/facebooks-new-master-plan-kill-other-apps>
> We can create MediaWiki
> extensions for artificial intelligence, virtual reality, drones, you name
> it. Why shouldn't there be artificially intelligent robotic aircraft that
> anyone can edit?
> https://www.fastcompany.com/3052885/mark-zuckerberg-facebook
>
> Facebook walls people off from each other through the proprietary nature of
> its technology and the cliquish tendencies of its circles of friends.
> MediaWiki brings everyone together through openness and its natural
> tendency to foster online collectivist utopias. Therefore the time is
> coming for a steel cage match between the two platforms, in which they
> battle for dominance, with room for only one survivor. Once technology
> advances to the point where the software becomes self-aware, this
> deathmatch can move from being a theoretical possibility to a practical
> reality.
>
> One might ask, "Why is it even necessary to revise LocalSettings.php so
> often?" Ideally, there would be a configuration database, so that it
> wouldn't be necessary to make so many changes to LocalSettings.php, but I
> think the reason that never caught on is that there just aren't enough
> MediaWiki installations out there for it to seem like a worthwhile idea.
> It's not like WordPress, which probably has millions of installations. Or
> hundreds of thousands, anyway. Thus, it seems like we're doomed to continue
> manually editing PHP files for the foreseeable future.
>
> Sucks that they got rid of php_check_syntax(). That seems superior to php
> -l. http://php.net/manual/en/function.php-check-syntax.php
>
> On Sat, Jul 1, 2017 at 7:32 PM, Brian Wolff <bawolff at gmail.com> wrote:
>
> > Most people just use a git repo for version controlling their
> > LocalSettings.php
> >
> > If you really really want to do this onwiki approach, try verifying the
> > file with `php -l` before saving.
> >
> > --
> > brian
> >
> > On Saturday, July 1, 2017, Jean Valjean <jeanvaljean2718 at gmail.com>
> wrote:
> > > Yeah, that's already happened a few times (typo taking the site down).
> > What
> > > I did on another wiki farm was have one wiki in charge of the other
> > wiki's
> > > config files, so that if you messed up LocalSettings.php, it wouldn't
> > take
> > > down the wiki that was modifying it.
> > >
> > > My goal was to have some sort of version control system in place so
> that
> > as
> > > different people are changing the files, we know who did what when, and
> > can
> > > revert easily to a previous version.
> > >
> > > On Sat, Jul 1, 2017 at 7:04 PM, Brian Wolff <bawolff at gmail.com> wrote:
> > >
> > >> Even ignoring the security issues, if one of your users makes a typo,
> > they
> > >> take down the site and they cannot revert because the site is then
> down.
> > >>
> > >> From a security prespective, this is equivalent to giving your users
> > shell
> > >> access to your server. They can run any arbitrary program, do
> anything,
> > >> insert backdoors, etc. Additionally this setup requires the web user
> to
> > >> have write access to php enabled web directories which is also bad
> > >> practise.
> > >>
> > >> --
> > >> bawolff
> > >>
> > >> On Saturday, July 1, 2017, Legoktm <legoktm.wikipedia at gmail.com>
> wrote:
> > >> > On 07/01/2017 03:16 PM, Jean Valjean wrote:
> > >> >> I want to let some of my administrators (in the wizards group) edit
> > >> >> LocalSettings.php, so I used this snippet, which allows them to
> make
> > >> >> changes by editing the Project:Shared_config.php page. Then I
> > protected
> > >> the
> > >> >> page so that only wizards can edit it. Do you think this presents
> any
> > >> >> security issues?
> > >> >
> > >> > Yes, it presents a huge security issue. Anyone who can modify your
> > >> > LocalSettings.php can execute arbitrary PHP code. They could see any
> > >> > private data in your database, easily get passwords, or even
> > potentially
> > >> > give themselves server access.
> > >> >
> > >> > I would highly recommend NOT doing this.
> > >> >
> > >> > -- Legoktm
> > >> >
> > >> > _______________________________________________
> > >> > MediaWiki-l mailing list
> > >> > To unsubscribe, go to:
> > >> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > >> >
> > >> _______________________________________________
> > >> MediaWiki-l mailing list
> > >> To unsubscribe, go to:
> > >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > >>
> > > _______________________________________________
> > > MediaWiki-l mailing list
> > > To unsubscribe, go to:
> > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > >
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


More information about the MediaWiki-l mailing list