Lock down sql.php to only be able to access wiki's
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Paladox
	Jul 31 2018, 15:36

Description

We found out today that sql.php can access all dbs from db4 thus a security risk.

We need to lock it down so it can only access wiki dbs

Event Timeline

Paladox created this task.Jul 31 2018, 15:36

Herald added a subscriber: Southparkfan. · View Herald TranscriptJul 31 2018, 15:36

Paladox raised the priority of this task from High to Unbreak Now!.Jul 31 2018, 15:37

Paladox changed the edit policy from "Custom Policy" to "Custom Policy".

Paladox changed the visibility from "Custom Policy" to "Custom Policy".Jul 31 2018, 15:40

Dropping of course does not work, but accessing any db that is not meant for mw-admins (such as phabricator_*, icinga, etc.) can be done via the SQL.php prompt

tables can also be created.

We have changed it to root only for now, but mw-admins should still be able to use sql.php so we should find another solution.

I have locked down sql.php on mw* by chown root:root sql.php and chmod 0400 sql.php.

Paladox added a subscriber: NDKilla.Jul 31 2018, 15:54

NDKilla changed the visibility from "Custom Policy" to "Custom Policy".Jul 31 2018, 17:06

Okay, can access - but can't use.

This is an overreaction and not a security issue. I'd like people to verify however first.

Done a minor change but this was never a security issue.

John changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 31 2018, 18:31

John changed the edit policy from "Custom Policy" to "All Users".

John removed a project: acl*security.

Herald added a subscriber: CnocBride. · View Herald TranscriptJul 31 2018, 18:31

https://github.com/miraheze/puppet/compare/bed592c09e7e...080b948bb8ba

Lock down sql.php to only be able to access wiki'sClosed, ResolvedPublicActions

Description

Event Timeline

Lock down sql.php to only be able to access wiki's
Closed, ResolvedPublic
Actions