[Bug 32054] New: Hide Special:Version unless activated in configuration

Sun, 30 Oct 2011 12:23:41 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=32054

       Web browser: ---
             Bug #: 32054
           Summary: Hide Special:Version unless activated in configuration
           Product: MediaWiki
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: Special pages
        AssignedTo: [email protected]
        ReportedBy: [email protected]
    Classification: Unclassified


Special:Version enables people to easily locate unpatched installations of
various pieces of system software, specifically PHP, MySQL and MediaWiki
extensions. When a new vulnerability is uncovered on a piece of software, all
an attacker has to do is search on Google for the version number and a string
like "This wiki is powered by MediaWiki" and they'll find a bunch of pages from
MediaWiki installs running on unpatched machines.

Now, I'm not saying Special:Version isn't useful, and indeed, for the Wikimedia
projects, they should definitely be available so the community clustered around
noticeboards like VPT on enwiki and similar noticeboards on other wikis can
keep track of what extensions and versions are running on different wikis. And
I'd hope that Wikipedia and other WMF-hosted wikis would be kept well-patched
in a way that other wikis are not.

But until other MediaWiki installations become as conscientious at applying
updates, it seems like a sensible idea to make it so that Special:Version isn't
publicly viewable (sysops, obviously, should be able to see it by default).
Then they can change LocalConfiguration.php to make it publicly viewable if
they want to take the risk. Even if MediaWiki is perfectly secure and the
MediaWiki install has secure passwords, Special:Version potentially helps
people exploit other insecure software on the same server.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to