Manual:Security

General Security Considerations

 * It is seriously recommended that you configure the webserver to disable running of PHP scripts except in the script directories (the "php_admin_flag engine off/on" directives below) to prevent the uploading and running of malicious scripts.


 * The wiki code prior to version 1.2 required that register_globals be on. You may wish to turn register_globals off, because some programs may be insecure using that mode. See http://php.net/register_globals for how to disable it.


 * If your LocalSettings.php contains a password for the database user, make sure you're not saving backup files that will be accessible via the web served as text files.


 * Interpretation of PHP in the upload directory really should not be enabled, since anyone could execute arbitrary code as the webserver user. It's also recommended that you set HTML files to serve as plain text to prevent cookie-stealing attacks. As an example apache config fragment:

 php_admin_flag engine off AddType text/plain .html .htm .shtml 


 * This is also possible in the .htaccess file for the uploads directory (but make sure you write protect it) using just (note php_value not php_admin_value):

php_value engine off AddType text/plain .html .htm .shtml


 * In earlier versions there was a bug in the upload code that may have made it possible to delete files with an appropriately crafted URL. If you are using an old version (old is to be defined by someone who knows since when it was fixed, 2005-03-02), you should comment out the call to unsaveUploadedFile in SpecialUpload.php. This may occasionally leave temporary files around from uploads that are discarded.

Issues related to the Apache httpd web server
You may wish to serve HTML pages as plaintext to prevent cookie-stealing JavaScript attacks.

Example Apache config fragment:

 # Ignore .htaccess files AllowOverride None # Serve HTML as plaintext AddType text/plain .html .htm .shtml # Don't run arbitrary PHP code. php_admin_flag engine off # If you've other scripting languages, disable them too. 

register_globals
As of Mediawiki version 1.2 register_globals in php.ini is not required to be on.

It is highly recommended to turn register_globals off, unless it is required to be on by another application.

Your php.ini may be located in:
 * /etc/php.ini (Red Hat Linux)
 * /etc/php4/apache/php.ini (Debian woody)
 * /usr/local/php/lib/php.ini (Mac OS X using Marc Liyanage's PHP package)
 * /var/www/conf/php.ini (OpenBSD)
 * /etc/apache2/conf/php.ini (Gentoo Linux)

If you see this line in php.ini:

register_globals = On

Change it to:

register_globals = Off

Alternatively, you could add this apache directive to turn off register_globals on a per-directory basis:

php_flag register_globals off

Then restart Apache to reload the changes (apachectl reload).

Securing the upload directory
Interpretation of PHP in the upload directory really should not be enabled, since anyone could execute arbitrary code as the webserver user. You should actually disable all CGI scripts. It's also recommended that you set HTML files to serve as plain text to prevent cookie-stealing attacks. As an example apache config fragment:

 php_admin_flag engine off Options -ExecCGI AddType text/plain .html .htm .shtml .php 

Issues related to the MySQL database

 * If your LocalSettings.php contains a password for the database user, make sure you're not saving backup files that will be accessible via the web served as text files.

Issues related to the MediaWiki scripts
Uploads are disabled by default starting with version 1.1.0 from 2003-12-08 of the MediaWIki software. If you've set up a secure configuration you can reenable uploads by putting:

$wgDisableUploads = false;

into LocalSettings.php.

Earlier versions of MediaWiki included a bug that potentially allows logged- in users to delete arbitrary files in directories writable by the web server user by manually feeding false form data; this is now fixed.

In earlier versions of the software, you should comment out the call to unsaveUploadedFile in SpecialUpload.php. This may occasionally leave temporary files around from uploads that are discarded.

Checklist

 * Operating System: ...
 * Web Server: ...
 * Database Server: ...
 * Other: ...

Security Tests

 * Port and Vulnerability Scanner (Nessus ),
 * Packet Generators (Scapy, Nmap , Nemesis , Hping ),
 * Intrusion Detection (Snort ),
 * System Integrity Verifier (Tripwire, AFICK , Samhain )