Last modified: 2010-05-15 15:33:42 UTC
I have searched both the closed and open bug reports for "hide mysql errors" and could not find a solution. As this is my first time using MediaWiki (and checking Docs & Google for the answer), there ought to be an option to disable, or hide MySQL errors from displaying. Running MediaWiki on a production server having mysql errors displayed can create security risks. Bug #1057 is an example of this. If there is an option somewhere I'd be highly appreciative if you can guide me there. Otherwise, I'd like to request this as a feature as soon as possible. Thanks everyone. I'll start pouring over the code in the meantime to see if I can find something. http://castlecops.com
Note that because the software is open source, an attacker can find potential SQL injection problems without access to _your_ installation simply by re-enabling the error display on their local installation. Thus the benefits from obscuration of errors is going to be relatively limited. Probably the simplest way to hide the errors would be to edit the OutputPage::databaseError() function in includes/OutputPage.php. You could prune out the message reporting (not including detailed error information) or even just have it die out with a 500 Internal Server Error.
(In reply to comment #1) > Note that because the software is open source, an attacker can find > potential SQL injection problems without access to _your_ installation > simply by re-enabling the error display on their local installation. Thus > the benefits from obscuration of errors is going to be relatively limited. You're right, which is precisely why additional security measures have been taken in the server installation. However, obscuring the errors do help to prevent from displaying table names. Many (but not all) SQL Injection techniques rely on knowing table names. Why provide the mechanism on a production site to show the backend? > Probably the simplest way to hide the errors would be to edit the > OutputPage::databaseError() function in includes/OutputPage.php. You > could prune out the message reporting (not including detailed error > information) or even just have it die out with a 500 Internal Server Error. Thanks for the direct file path. On quick inspection, it looks like print $msg."\n"; Is the line that requires modification, or at the least, disable showing the error on a prod site. Development, I'd leave this in place. Perhaps offering a special setting in LocalSettings.php defining a $debug value which would show those errors as required. I'll report back after some testing.
Committed to REL1_4 and HEAD: http://mail.wikipedia.org/pipermail/mediawiki-cvs/2005-February/006515.html Set $wgShowSQLErrors = true to enable database error display, off by default.
(In reply to comment #3) > http://mail.wikipedia.org/pipermail/mediawiki-cvs/2005-February/006515.html Much obliged. Implemented and confirmed. Now "Internal Error" is displayed instead. I may fire off a bugtraq FYI on this and direct folks back here.
