Thread:Project:Support desk/File Access Security Gap

Hello everybody,

I tested Media Wiki accourding to security and I have found something interesting:

Assume User A knows the path of a uploaded file, because he has access to media wiki. Assume the file is in images/0/00/file.gz User A can publish the path /mediawiki/images/0/00/file.gz on his website. Another User B, who has no access to the wiki, can access that file directly.

This should be prevented.

As far as I know, there is the possibility to do that, when you use apache.

Any suggestions, comments?

Regards, Marcus