It's not a very good design, security-wise, for included php files to be
within the web document root. See
http://meta.wikimedia.org/wiki/Documentation:Security#Alternate_file_layout.
That said, this situation alone does not seem to be an exploitable security
problem.
Personally I've moved all the included files outside the document root.
Mediawiki wasn't designed for this, so I do a chdir() at the top of each
directly accessed php file. This hasn't been tested very well, might not
work right, and might present security problems of its own. The proper
solution would be for the Mediawiki developers to explicitly design the wiki
software to run in this way, possibly as an option if there is some
particular reason, but I don't see what that reason could be.
Anthony
On 9/2/05, dug <dalford(a)mindleaders.com> wrote:
I've noticed that the admin password to the mySQL db is included in plain
text in the LocalSettings.php file in my Wiki directory, which is set to
755, readable and executable by the world. Am I being paranoid, or is this
a
slightly insecure situation?
Can the password be encrypted, or is there some other security measure I
should take?
TIA
--doug
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)Wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l