[MediaWiki-l] Special:Version leaks info on open_basedir

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Special:Version leaks info on open_basedir

Jeffrey Walton
Hi Everyone,

A while back we applied hardening per
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
. Our php.ini includes the following:

    ;; #15 Limit PHP Access To File System
    ;; Allows recursive descent
    open_basedir="/var/www/html/:/var/lib/php/"

When (1) the cache is stale, and (2) we run Special:Version, then part
of our security configuration is provided:
https://cryptopp.com/special-version.png

Is there any way to close that hole?

I'm OK with allowing Git to run, but I don't know how to do it short
of opening up /usr/bin to the web server.

Thanks in advance.

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Special:Version leaks info on open_basedir

Martin Urbanec
Hey,

have a look at
https://www.mediawiki.org/w/index.php?title=Topic:Tbb9vyeslb873e9n&topic_showPostId=tbbefgxuarr3xzsv#flow-post-tbbefgxuarr3xzsv
. This post should help you.

Best,
Martin

ne 23. 12. 2018 v 23:55 odesílatel Jeffrey Walton <[hidden email]>
napsal:

> Hi Everyone,
>
> A while back we applied hardening per
> http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
> . Our php.ini includes the following:
>
>     ;; #15 Limit PHP Access To File System
>     ;; Allows recursive descent
>     open_basedir="/var/www/html/:/var/lib/php/"
>
> When (1) the cache is stale, and (2) we run Special:Version, then part
> of our security configuration is provided:
> https://cryptopp.com/special-version.png
>
> Is there any way to close that hole?
>
> I'm OK with allowing Git to run, but I don't know how to do it short
> of opening up /usr/bin to the web server.
>
> Thanks in advance.
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Special:Version leaks info on open_basedir

Ryan Schmidt-76
In addition to Martin’s link to make git actually functional, those warnings are showing because you have display_errors turned on in your php.ini. On a production server, it is recommended that display_errors is off and that error logs are used instead. This prevents warnings and fatal errors from leaking info to site visitors.

Regards,
Ryan Schmidt

> On Dec 23, 2018, at 4:08 PM, Martin Urbanec <[hidden email]> wrote:
>
> Hey,
>
> have a look at
> https://www.mediawiki.org/w/index.php?title=Topic:Tbb9vyeslb873e9n&topic_showPostId=tbbefgxuarr3xzsv#flow-post-tbbefgxuarr3xzsv
> . This post should help you.
>
> Best,
> Martin
>
> ne 23. 12. 2018 v 23:55 odesílatel Jeffrey Walton <[hidden email]>
> napsal:
>
>> Hi Everyone,
>>
>> A while back we applied hardening per
>> http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
>> . Our php.ini includes the following:
>>
>>    ;; #15 Limit PHP Access To File System
>>    ;; Allows recursive descent
>>    open_basedir="/var/www/html/:/var/lib/php/"
>>
>> When (1) the cache is stale, and (2) we run Special:Version, then part
>> of our security configuration is provided:
>> https://cryptopp.com/special-version.png
>>
>> Is there any way to close that hole?
>>
>> I'm OK with allowing Git to run, but I don't know how to do it short
>> of opening up /usr/bin to the web server.
>>
>> Thanks in advance.
>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> To unsubscribe, go to:
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Special:Version leaks info on open_basedir

Jeffrey Walton
On Sun, Dec 23, 2018 at 7:12 PM Ryan Schmidt <[hidden email]> wrote:
>
> In addition to Martin’s link to make git actually functional, those warnings are showing because you have display_errors turned on in your php.ini. On a production server, it is recommended that display_errors is off and that error logs are used instead. This prevents warnings and fatal errors from leaking info to site visitors.

Thanks.

Yeah, we do run with errors enabled so we receive information when the
database is down. The Linux OOM killer whacks the mysqld process on
occasion.

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l