Manual:Security/ja

'''このガイドは未完であるが、サーバのセキュリティを強化したい管理者がいる場所への紹介を提供する. --brion 00:34, 15 Jun 2005 (UTC)'''

webサーバの構成と大きなサーバを動かしている人々に対してここにあるいくつかの助言は連動する. もしも、それらのいくつかに失敗したとしても、心配することはない!一般的な中尉事項は全てに適用する.


 * もしも、MediaWikiまたはWikimediaのwebサイト中でセキュリティ問題を発見したと信じるならば、security&#64;wikimedia.orgに直接コンタクトを取ってほしい. そうすれば、バグフィックスリリースを準備できる. 

最新のものにする
やらなければならない、ほとんどの重要なセキュリティステップは、ソフトウェアを最新にすることである. MediaWikiとそれに従属するソフトウェアの両方は、あなたに影響するであろう、新しく発見されたセキュリティの脆弱性を収集する新しいバージョンを時折作成する.

MediaWikiを動かしている誰でもmediawiki-announce mailing listを購読することを強く推奨する. これは、新しいバージョンのアナウンスのみの、非常に流量の少ないMLである.

現時点(2006年10月)において、1.8.1がちょうどリリースされている時に、1.7.xのセキュリティアップデートを作成している.

最新版の1.7か1.8を動かしているならば、合理的にセキュアにすべきであり、知っている限りと、既定値の構成が不必要な脆弱性がないという範囲において、任意の脆弱性はない. もしも、古いバージョンを動かしているか、1.5.xかそれより古いバージョンを津catっているならば、あなたに影響がある問題があり、アップグレードを考えることを強く推奨する.

サーバ上で動いているApache、PHP、MySQLと他のソフトウェアをアップデートすることも忘れないこと -- OSと他のwebアプリケーションもである. wormの圧タックのphpBB中中の欠陥によって、いくつかの人が使っているMediaWiki 1.3.x インストールは2004秋中に影響される;利用者のパッチされてない他のphpBBサイトを通して、それは得られ、それに"you are hacked"というメッセージがシステム上の他の書き込み可能な.phpファイルに追加され、それにはMediaWiki 1.3が使うコンパイルされたテンプレートも含む.

一般的なPHP設定の推奨
ここにはPHP環境に対するよりよい小さなアドバイスがあり、それらはMediaWikiに必須のものではない.

php.iniまたはその他の設定のためのPHP構成の推奨:


 * を無効にする.
 * 多くのPHPセキュリティ攻撃はグローバル変数の価のインジェクションに基づいているので、それをoffにすることは潜在的な脆弱性をなくすことが出来る.
 * もしも他のwebアプリケーションのために を必要とするならば、仮想ホストかそれが必要とするサブディレクトリのみに選択的に有効にすることを考慮すべきである.
 * MediaWikiは、もしもそれがonでもセキュアにすべきである;これをoffにすることは、未知の脆弱性の可能性に対して予防処置を取ることになる.
 * Unless you require it specifically, disable.
 * Remote PHP code execution vulnerabilities may depend on being able to inject a URL into a  or  . If you don't require the use of remote file loading, turning this off can prevent attacks of this kind on vulnerable code.
 * MediaWiki may require this setting to be on for the Lucene search extension, the OAI harvester extension, and certain uses of Special:Import in 1.5. It should not however be required in a typical installation.
 * MediaWiki should be safe even if this is on; turning this off is a precaution against the possibility of unknown vulnerability.
 * Set  off.
 * If this is on, session IDs may be added to URLs sometimes if cookies aren't doing their thing. That can leak login session data to third-party sites through referer data or cut-and-paste of links.
 * You should always turn this off if it's on.

Your php.ini may be located in:
 * /etc/php.ini (Red Hat Linux, SuSE / Novell Linux)
 * /etc/php4/apache/php.ini (Debian woody and sarge, Ubuntu 6.10 with php4 and apache 1.3)
 * /etc/php5/apache2/php.ini (Ubuntu 6.10 with php5 and apache2)
 * /etc/httpd/php.ini (Trustix Secure Linux 3.0)
 * /usr/local/php/lib/php.ini (Mac OS X using Marc Liyanage's PHP package)
 * /etc/apache/php.ini (Slackware 10.x)
 * /var/www/conf/php.ini (OpenBSD)
 * /usr/local/etc/php.ini (FreeBSD)
 * /usr/pkg/etc/php.ini (NetBSD)
 * Gentoo Linux:
 * /etc/php/apache2-php4/php.ini
 * /etc/php/cli-php4/php.ini
 * /etc/apache2/php.ini
 * c:\windows\php.ini (Windows)

For instance if you see this line in php.ini:

register_globals = On

Change it to:

register_globals = Off

Alternatively, you could add this apache directive to turn off register_globals on a per-directory basis:

php_flag register_globals off

Then restart Apache to reload the changes.

On a multiuser system with PHP installed as an Apache module, all users' scripts will run under the same reduced-privilege user account. This may give other users access to read your configuration files (including database passwords), read and modify your login session data, or write files into your upload directory (if enabled).

For multiuser security, consider using a CGI/FastCGI configuration in which each user's scripts run under their own account, or enabling Safe Mode to limit script access to other users' files. Note that safe mode may interfere with some features of MediaWiki such as uploading and extensions which shell out to other programs.

General MySQL recommendations
In general, you should keep access to your MySQL database to a minimum. If it will only be used from the single machine it's running on, consider disabling networking support, or enabling local networking access only (via the loopback device, see below), so the server can only communicate with local clients over Unix domain sockets.

If it will be used over a network with a limited number of client machines, consider setting the IP firewall rules to accept access to TCP port 3306 (MySQL's port) only from those machines or only from your local subnet, and reject all accesses from the larger internet. This can help prevent accidentally opening access to your server due to some unknown flaw in MySQL, a mistakenly set overbroad GRANT, or a leaked password.

If you create a new MySQL user for MediaWiki through MediaWiki's installer, somewhat liberal access is granted to it to ensure that it will work from a second server as well as a local one. You might consider manually narrowing this or establishing the user account yourself with custom permissions from just the places you need.

Note that the  table in MediaWiki's database contains hashed user passwords and may contain user e-mail addresses, and should generally be considered private data.

See:
 * mysql command-line options.
 * Setting  in your my.ini (under section  ) will cause MySQL to only listen on the loopback interface. This is the default in the EasyPHP install for Windows
 * GRANT and REVOKE syntax

Manual installation
If you use the web-based installer, you may be vulnerable to attack by somebody else running the installer on your server between the time you make the  directory writable and the time the   file is written out.

Usually this should not be a very large risk, but if it's unacceptable to you (or if you need to do a batch install of many wikis), consider doing an installation manually:
 * Create a database
 * Grant user permissions
 * Source  to create the tables.
 * Create a  based on a sample or the generation code in , and   based on

If PHP is running as an Apache module, the LocalSettings.php generated by the web installer will usually be owned by the Apache user account. To ensure that it can't be changed again by another user (see notes above about multiuser systems) or by malicious code injected to a vulnerable web application, you should reassign it to another account. (If you have only limited access, consider copying instead of moving the file; the new copy will be under your other account.)

Alternate file layout
MediaWiki is designed to run in-place after being extracted from the distribution archive, for ease of installation.

You can however manually consolidate or relocate various files, to avoid duplicates in a mass installation or to keep sensitive files out of the web root for safety.

(Moving the main includes and skin files may require carefully picking and choosing and altering the include_path set in your LocalSettings.php. Experiment with this as desired.)

Consider moving the database password or other potentially sensitive data from LocalSettings.php to another file located outside of the web document root, and ing that file from LocalSettings.php. This can help to ensure that your database password will not be compromised if a web server configuration error disables PHP execution and reveals the file's source text.

Similarly, editing  with some text editors will leave a backup file in the same directory with an altered file extension, causing the copy to be served as plain text if someone requests eg. If you use such an editor, be sure to disable backup generation or move sensitive data outside the web root.

User security
Someone able to edit the user-interface messages in the MediaWiki: namespace can introduce arbitrary HTML and JavaScript code into page output. This means wiki user accounts with the 'sysop' permission, as well as anyone with direct write access to the cur table in the database.

Malicious attacks here could be used to snarf users' passwords as they login, or to attempt to exploit browser vulnerabilities (install spyware, etc). So, you should make sure that only trusted people have these permissions.

Upload security
File uploads are an optional feature of MediaWiki and are disabled by default. If you enable them, you also need to provide a directory in the web root which is writable by the web server user.

This has several implications for security:
 * The directory may have to be world-writable, or else owned by the web server's limited user account. On a multiuser system it may be possible for other local users to slip malicious files into your upload directory (see multiuser notes above)
 * While PHP's configuration sets a filesize limit on individual uploads, MediaWiki doesn't set any limit on total uploads. A malicious (or overzealous) visitor could fill up a disk partition by shoving lots and lots of uploads at you.
 * Generated thumbnails and uploaded files held for overwrite confirmation may be kept in images/thumb and images/tmp without visible notice in the MediaWiki web interface. Keep an eye on their sizes as well.

The default configuration makes an attempt to limit the types of files which can be uploaded for safety:
 * By default, file extensions .png, .gif, and .jpg are whitelisted.
 * Various executable and script extensions are explicitly blacklisted even if you disable the whitelist.
 * Multiple file extensions are checked against the blacklist.
 * Several known image file extensions have their types verified using PHP's getimagesize function.
 * Uploaded files are checked to see if they could trip filetype detection bugs in Internet Explorer and Safari which might cause them to display as HTML.

In case these checks turn out to be insufficient, you can gain further protection by explicitly disabling server-side execution of PHP scripts (and any other scripting types you may have) in the uploads directory (by default, ).

For instance, an Apache .conf file fragment to do this if your MediaWiki instance is in /Library/MediaWiki/web might look something like:

 # Ignore .htaccess files AllowOverride None # Serve HTML as plaintext, don't execute SHTML AddType text/plain .html .htm .shtml # Don't run arbitrary PHP code. php_admin_flag engine off # If you've other scripting languages, disable them too. 

Your exact configuration may vary

Note that use of PHP's safe mode or open_basedir options may complicate handling of uploads.

External programs

 * may be executed for edit conflict merging.
 * If ImageMagick support for thumbnails or SVG images is enabled,  may be run on uploaded files.
 * If enabled, the texvc math extension will call  executable, which calls ,  , and   (which calls  ).

Fixes for past vulnerabilities
If you are running an older-than-current version of either the 1.4 or 1.3 branches, or a 1.2 or older release, you should upgrade immediately:


 * 1.4.5: fixes template HTML JavaScript injection
 * 1.4.2: fixes JavaScript injection if $wgUseTidy on


 * 1.3.13: fixes template HTML JavaScript injection
 * 1.3.12: fixes JavaScript injection if $wgUseTidy on
 * 1.3.11: fixes several XSS injections, introduces protection against offsite form submission forgery, fixes directory traversal in image deletion
 * 1.3.10: fixes XSS injection, partial protection against offsite form submission forgery; user JavaScript now disabled by default
 * 1.3.9: fix to upload file extension blacklisting if whitelist is too wide is disabled; possible PHP code injection on vulnernable configurations
 * 1.3.7: fixes a bug in handling of protected pages
 * 1.3.4: added upload checks for HTML/JavaScript injection

The 1.2 branch has been discontinued. It's known to contain the template HTML JavaScript injection vulnerability and may contain other problems; upgrading to a current release is strongly recommended.