[MediaWiki-l] Special:Version leaks info on open_basedir

Martin Urbanec martin.urbanec at wikimedia.cz
Sun Dec 23 23:08:48 UTC 2018


Hey,

have a look at
https://www.mediawiki.org/w/index.php?title=Topic:Tbb9vyeslb873e9n&topic_showPostId=tbbefgxuarr3xzsv#flow-post-tbbefgxuarr3xzsv
. This post should help you.

Best,
Martin

ne 23. 12. 2018 v 23:55 odesílatel Jeffrey Walton <noloader at gmail.com>
napsal:

> Hi Everyone,
>
> A while back we applied hardening per
> http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
> . Our php.ini includes the following:
>
>     ;; #15 Limit PHP Access To File System
>     ;; Allows recursive descent
>     open_basedir="/var/www/html/:/var/lib/php/"
>
> When (1) the cache is stale, and (2) we run Special:Version, then part
> of our security configuration is provided:
> https://cryptopp.com/special-version.png
>
> Is there any way to close that hole?
>
> I'm OK with allowing Git to run, but I don't know how to do it short
> of opening up /usr/bin to the web server.
>
> Thanks in advance.
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


More information about the MediaWiki-l mailing list