Prevent Server Version Leaks in MediaWiki's Special:Version
Setting up a knowledge base or wiki is a great way of keeping people (coworkers, clients, strangers, and anyone else you can think of) informed about certain topics, and MediaWiki is one of the most popular choices for this. It powers Wikipedia, the worlds largest general reference work, and thousands of other wikis on a variety of subjects.
While obscuring version information should never be your only form of security, it makes life slightly harder for anyone looking to vandalize or penetrate your webserver. By default, MediaWiki will tell anyone who will listen what software you’re running (example), and there is no obvious way of disabling this. The solution? Let’s dig into the code behind this page, and cut it off at the source.
includes/specials/SpecialVersion.php, and locate the
execute function (somewhere around line 50). You’ll find a variable called
$text that will contain all of the information to be displayed, and one of the functions it calls is
softwareInformation(). If you comment out the entire line and save the file, you’ll plug MediaWiki’s version leak.
1 2 3 4 5 6 7 8 9 10 11 12 13
Kill it with fire
If removing your software version doesn’t leave you feeling satisfied, you can remove the page entirely by commenting out a line in
includes/SpecialPageFactory.php. I’m not a fan of this extreme step, as it removes recognition for the developers, licensing information, and a list of the extensions you’re using, none of which are a security risk.
1 2 3 4 5 6 7