Topic on Project:Support desk

Your default directory for uploads /var/www/mediawiki/images/ is vulnerable to arbitrary scripts execution.

One comment • 10:43, 28 July 2021 2 years ago
1
MrJConstantine (talkcontribs)

I tried this solution and added the following to my apache2.conf file:

<Directory /var/www/mediawiki/images>

AllowOverride None

AddType text/plain .html .htm .shtml .phtml

<IfModule LiteSpeed>

php_admin_flag engine off

</IfModule>

</Directory>

I added <IfModule LiteSpeed>, </IfModule> tags according to this because otherwise my apache2 server shows the syntax error on the line where php_admin_flag is.

I also tried to add the following to the/var/www/mediawiki/images/.htaccess file:

AddType text/plain .html .htm .shtml .phtml .php .php3 .php4 .php5 .php7

RemoveHandler .php

<FilesMatch "\.ph(p[3457]?s?|tml)$">

SetHandler None

</FilesMatch>

but it did not help.

I changed the server API from Apache 2.0 Handler to FPM/FastCGI as this is one of the MediaWiki's requirements.

What else can I do to solve that security problem? The help is appreciated.

Reply Edited 10:43, 28 July 2021 2 years ago
Reply to "Your default directory for uploads /var/www/mediawiki/images/ is vulnerable to arbitrary scripts execution."
Retrieved from "https://www.mediawiki.org/wiki/Topic:Wdkehf8i66i43du4"