Manual:Security

General Security Considerations

 * It is seriously recommended that you configure the webserver to disable running of PHP scripts except in the script directories (the "php_admin_flag engine off/on" directives above) to prevent the uploading and running of malicious scripts.


 * the wiki code prior to version 1.2 required that register_globals be on. You may not wish to turn this on server-wide because some programs may be insecure using that mode. See http://php.net/register_globals for how to enable it.


 * If your LocalSettings.php contains a password for the database user, make sure you're not saving backup files that will be accessible via the web served as text files.


 * Interpretation of PHP in the upload directory really should not be enabled, since anyone could execute arbitrary code as the webserver user. It's also recommended that you set HTML files to server as plain text to prevent cookie-stealing attacks. As an example apache config fragment:

 php_admin_flag engine off AddType text/plain .html .htm .shtml 


 * This is also possible in the .htaccess file for the uploads directory (but make sure you write protect it) using just (note php_value not php_admin_value):

php_value engine off AddType text/plain .html .htm .shtml


 * There's a bug in the upload code that may make it possible to delete files with an appropriately crafted URL. Until this is fixed, you should comment out the call to unsaveUploadedFile in SpecialUpload.php. This may occasionally leave temporary files around from uploads that are discarded.

Issues related to the Apache httpd web server
You may wish to serve HTML pages as plaintext to prevent cookie-stealing JavaScript attacks.

Example Apache config fragment:

 # Ignore .htaccess files AllowOverride None

# Serve HTML as plaintext AddType text/plain .html .htm .shtml

# Don't run arbitrary PHP code. php_admin_flag engine off

# If you've other scripting languages, disable them too. 

register_globals
As of Mediawiki version 1.2 register_globals in php.ini is not required to be on.

It is highly recommended to turn register_globals off, unless it is required to be on by another application.

Your php.ini may be located in:
 * /etc/php.ini (Red Hat Linux)
 * /etc/php4/apache/php.ini (Debian woody)
 * /usr/local/php/lib/php.ini (Mac OS X using Marc Liyanage's PHP package)

If you see this line in php.ini:

register_globals = On

Change it to:

register_globals = Off

Then restart Apache to reload the changes (apachectl reload).

Securing the upload directory
Interpretation of PHP in the upload directory really should not be enabled, since anyone could execute arbitrary code as the webserver user. It's also recommended that you set HTML files to serve as plain text to prevent cookie-stealing attacks. As an example apache config fragment:

 php_admin_flag engine off AddType text/plain .html .htm .shtml 

Issues related to the MySQL database

 * If your LocalSettings.php contains a password for the database user, make sure you're not saving backup files that will be accessible via the web served as text files.

Issues related to the MediaWiki scripts
Uploads are disabled by default starting with version 1.1.0 from 2003-12-08 of the MediaWIki software. If you've set up a secure configuration you can reenable uploads by putting:

$wgDisableUploads = false;

into LocalSettings.php.

Earlier versions of MediaWiki included a bug that potentially allows logged- in users to delete arbitrary files in directories writable by the web server user by manually feeding false form data; this is now fixed.

In earlier versions of the software, you should comment out the call to unsaveUploadedFile in SpecialUpload.php. This may occasionally leave temporary files around from uploads that are discarded.

Checklist

 * Operating System: ...
 * Web Server: ...
 * Database Server: ...
 * Other: ...

Security Tests

 * Port and Vulnerability Scanner (Nessus, Scapy ),
 * Package Generators (Nmap, Nemesis , Hping ),
 * Intrusion Detection (Snort ),
 * System Integrity Verifier (Tripwire )