Prevent Server Version Leaks in MediaWiki's Special:Version

Setting up a knowledge base or wiki is a great way of keeping people (coworkers, clients, strangers, and anyone else you can think of) informed about certain topics, and MediaWiki is one of the most popular choices for this. It powers Wikipedia, the worlds largest general reference work, and thousands of other wikis on a variety of subjects.

While obscuring version information should never be your only form of security, it makes life slightly harder for anyone looking to vandalize or penetrate your webserver. By default, MediaWiki will tell anyone who will listen what software you’re running (example), and there is no obvious way of disabling this. The solution? Let’s dig into the code behind this page, and cut it off at the source.

Open up includes/specials/SpecialVersion.php, and locate the execute function (somewhere around line 50). You’ll find a variable called $text that will contain all of the information to be displayed, and one of the functions it calls is softwareInformation(). If you comment out the entire line and save the file, you’ll plug MediaWiki’s version leak.

includes/specials/SpecialVersion.php - SpecialVersion->execute
1
2
3
4
5
6
7
8
9
10
11
12
13
public function execute( $par ) {
  global $wgSpecialVersionShowHooks;
  $this->setHeaders();
  $this->outputHeader();
  $out = $this->getOutput();
  $out->allowClickjacking();

  $text =
    $this->getMediaWikiCredits() .
    // Commented out to stop the version leak
    // $this->softwareInformation() .
    $this->getEntryPointInfo() .
    $this->getExtensionCredits();

Kill it with fire

If removing your software version doesn’t leave you feeling satisfied, you can remove the page entirely by commenting out a line in includes/SpecialPageFactory.php. I’m not a fan of this extreme step, as it removes recognition for the developers, licensing information, and a list of the extensions you’re using, none of which are a security risk.

includes/SpecialPageFactory.php
1
2
3
4
5
6
7
// Wiki data and tools
'Statistics'                => 'SpecialStatistics',
'Allmessages'               => 'SpecialAllmessages',
// Commented out to remove the Special:Version page entirely
// 'Version'                   => 'SpecialVersion',
'Lockdb'                    => 'SpecialLockdb',
'Unlockdb'                  => 'SpecialUnlockdb',

Comments