[MediaWiki-l] Special:Version leaks info on open_basedir

Jeffrey Walton noloader at gmail.com
Sun Dec 23 22:53:49 UTC 2018


Hi Everyone,

A while back we applied hardening per
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
. Our php.ini includes the following:

    ;; #15 Limit PHP Access To File System
    ;; Allows recursive descent
    open_basedir="/var/www/html/:/var/lib/php/"

When (1) the cache is stale, and (2) we run Special:Version, then part
of our security configuration is provided:
https://cryptopp.com/special-version.png

Is there any way to close that hole?

I'm OK with allowing Git to run, but I don't know how to do it short
of opening up /usr/bin to the web server.

Thanks in advance.



More information about the MediaWiki-l mailing list