Page MenuHomePhabricator
Create Task
Maniphest T310304

MediaWiki-Docker exposes wiki admin password to web
Closed, DeclinedPublicSecurity
Actions

Description

The MediaWiki-Docker setup uses a .env file with environment variables to be used by Docker, including the initial username & password to use when creating a wiki admin user.

If this is not subsequently removed from the file, it will be exposed to the web (or at least local network) at /w/.env, like this:

MW_DOCKER_PORT=8080
MW_SCRIPT_PATH=/w
MW_SERVER=http://localhost:8080
MEDIAWIKI_USER=Admin
MEDIAWIKI_PASSWORD=dockerpass
XDEBUG_CONFIG=''
MW_DOCKER_UID=502
MW_DOCKER_GID=20

Recommend either finding a one-time way to save and pass that info, or forbidding it from access to the web.

Details

Risk Rating
Informational
Author Affiliation
WMF Technology Dept

Event Timeline

brooke created this task.Jun 9 2022, 5:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 9 2022, 5:58 PM
sbassett subscribed.EditedJun 9 2022, 6:38 PM

Hello @brion -

Thanks for reporting this. I believe MediaWiki-Docker is intended purely to be used as a local development environment, and should never be deployed as any kind of production application. I suppose some clarification or hardening could be added here though. Maybe leaving the values as empty strings within the default .env file and then having an install/setup script randomize them. Or having a basic htaccess rule that prevents exposure. Or providing more warnings that MediaWiki-Docker should only be used as a local development environment and, if deployed anywhere as a public-facing application, have its environment configuration altered appropriately.

Aklapper added a project: MediaWiki-Docker.Jun 15 2022, 9:07 PM

+MediaWiki-Docker (please add project tags)

mmartorana changed the task status from Open to In Progress.Jun 16 2022, 10:34 AM
mmartorana triaged this task as Low priority.
mmartorana changed Risk Rating from N/A to Informational.
mmartorana subscribed.Jun 16 2022, 10:37 AM

Hi @brion, does the explanation of @sbassett make sense to you?

sbassett closed this task as Declined.Jun 21 2022, 4:08 PM
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Incoming to Frozen on the Security-Team board.
sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits