Last modified: 2011-09-05 00:42:44 UTC
Hi, I have found that Mediawiki pass the potential information like database name through javascript on each page. <script type="text/javascript">/*<![CDATA[*/ var wgDBname = "mediawikiwiki"; var wgSearchNamespaces = [0, 12, 100, 102]; var wgMWSuggestMessages = ["with suggestions", "no suggestions"]; var wgRestrictionEdit = ["sysop"]; var wgRestrictionMove = ["sysop"]; /*]]>*/</script> Can someone tell me how to hide this information.
I also found that this entire lines are displayed by the following function in includes/Skins.php static function makeVariablesScript( $data ) { global $wgJsMimeType; $r = "<script type= \"$wgJsMimeType\">/*<![CDATA[*/\n"; foreach ( $data as $name => $value ) { $encValue = Xml::encodeJsVar( $value ); $r .= "var $name = $encValue;\n"; } $r .= "/*]]>*/</script>\n"; return $r; } So i have changed it to the following static function makeVariablesScript( $data ) { global $wgJsMimeType; $r = "<script type= \"$wgJsMimeType\">/*<![CDATA[*/\n"; foreach ( $data as $name => $value ) { $encValue = Xml::encodeJsVar( $value ); if($name =='wgDBname'){ }else{ $r .= "var $name = $encValue;\n"; } } $r .= "/*]]>*/</script>\n"; return $r; }
Created attachment 6549 [details] Remove {dbname} placeholder You can remove it by disabling MWSuggest ($wgEnableMWSuggest = false on LocalSettings.php) or, since MWSuggest doesn't really need it, in Skin.php change the line $vars['wgDBname'] = $wgDBname; to anything else, like $vars['wgDBname'] = "I won't tell you"; wgDBname javascript variable is used to replace {dbname} in the suggest template with the database name. However, default $wgMWSuggestTemplate doesn't use such placeholder, the search url shouldn't need it (a script relying on it would be insecure), and even if needed, $wgMWSuggestTemplate could include {$wgDBname} in the definition.
i feel MWsuggest is required, but as you said another open , same i have already done. I wanted to know will it make any trouble to running mediawiki.
dbname is not used by MWSuggest for anything. Unless you customized MWSuggest by changing $wgEnableMWSuggest to something which contains {dbname} To hide it, you can: a) Disable MWSuggest b) Filter it at skin stage as shown on comment 1 (you will get a javascript error). c) Modify its content as in comment 2 to something different than the database name. d) Apply the patch that removes the placeholder (may not apply cleanly, since it's agaisnt trunk).
Note that $wgDBname is also used for cookie names, which means anyone can easily obtain its value anyway. Also, it's not really of any use to an attacker.
He could set $wgCookiePrefix to something different than the dbname. There's no reason to expose that variable (see my analysis above). The same way we allow people to not expose their paths or server names, we shouldn't force them to share their database name.
I am totally satisfied with Platonides. Displaying the Database is very very useful for attacker. With it you are telling that "BOSS Come this is the Key Combination to Open my Locker". :)) Kindly let me know if other potential information in being leaked.
(In reply to comment #7) > I am totally satisfied with Platonides. Displaying the Database is very very > useful for attacker. With it you are telling that "BOSS Come this is the Key > Combination to Open my Locker". :)) > > Kindly let me know if other potential information in being leaked. > It's not that much of a vulnerability, really. I agree that we shouldn't expose it if not necessary, but it's not like the DB name is the attacker's magic key to everything; you still need the DB username+password and a way to connect to the DB server before you can get anywhere.
(In reply to comment #7) > Kindly let me know if other potential information in being leaked. Settings you may want to verify: http://www.mediawiki.org/wiki/Manual:$wgShowExceptionDetails http://www.mediawiki.org/wiki/Manual:$wgShowSQLErrors http://www.mediawiki.org/wiki/Manual:$wgShowDebug http://www.mediawiki.org/wiki/Manual:$wgShowHostnames
This probably should be exposing the wiki id rather than the raw db name; the wiki id currently defaults to the prefix + db name, but can be overridden.
Note: some work in this direction was committed in r59548
In the case of database error, there is the setting $wgShowSQLErrors which controls whether or not the SQL message is shown. However, the error from the database is always shown, regardless. This potentially gives away a lot about the database (including hostname) and it should not be displayed.
*Bulk BZ Change: +Patch to open bugs with patches attached that are missing the keyword*
As if a few versions wgDBname is no longer exposed conditionally on MWSuggest, it's on all pages. Afaik, this is the only consistent unique identifier scripts can use in a wikifarm environment to know on which wiki they are. So unless there's an alternative for that, this should not be removed imho (especially since it's of no use to an atacker, and there are other ways to get this information from MediaWiki).
Removed URL which linked to spam.
