New release contains a number of bug fixes (see release notes) and an
important security update (see below). All sites are strongly
encouraged to upgrade, or use the workarounds described below.
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=198060
Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-20031117.tar.gz?
download
Previous versions of MediaWiki contained a flaw that could be exploited
in some configurations to execute arbitrary PHP code on the server if
the *.php files are located in a web-accessible directory and are
runnable through the PHP interpreter. This likely includes most
installations.
If you can't upgrade immediately, you should be able to easily
substantially reduce the risk by doing one or more of the following:
* Leave just LocalSettings.php and the *.phtml files exposed to the
web, moving the other *.php files into a directory that's not exposed
to the web; set $IP to point to this directory in LocalSettings.php.
-or-
* Remove the "$IP/" or "{$IP}/" from all include() and include_once()
statements, keeping the *.php and *.phtml files in one place.
* Explicitly disallow access to all the *.php files in the web server.
* Configure the server to run only *.phtml files through PHP, and not
*.php. (If you do this, be sure your database passwords are not exposed
through LocalSettings.php!)
-- brion vibber (brion @ pobox.com)
important security update (see below). All sites are strongly
encouraged to upgrade, or use the workarounds described below.
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=198060
Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-20031117.tar.gz?
download
Previous versions of MediaWiki contained a flaw that could be exploited
in some configurations to execute arbitrary PHP code on the server if
the *.php files are located in a web-accessible directory and are
runnable through the PHP interpreter. This likely includes most
installations.
If you can't upgrade immediately, you should be able to easily
substantially reduce the risk by doing one or more of the following:
* Leave just LocalSettings.php and the *.phtml files exposed to the
web, moving the other *.php files into a directory that's not exposed
to the web; set $IP to point to this directory in LocalSettings.php.
-or-
* Remove the "$IP/" or "{$IP}/" from all include() and include_once()
statements, keeping the *.php and *.phtml files in one place.
* Explicitly disallow access to all the *.php files in the web server.
* Configure the server to run only *.phtml files through PHP, and not
*.php. (If you do this, be sure your database passwords are not exposed
through LocalSettings.php!)
-- brion vibber (brion @ pobox.com)
Attached Files:
-
PGP.sig (0.18 KB)