mediawiki
MediaWiki is free and open-source wiki software originally developed for use on Wikipedia. It powers several wiki hosting websites across the Internet, as well as most websites hosted by the Wikimedia Foundation. Besides its usage on Wikimedia sites, MediaWiki has been used as a knowledge management and content management system on many websites.
Apache
mediawiki_headers
Header always append X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
mediawiki
RewriteEngine on
RewriteRule ^/.*\.(bak|old|~)$ - [L,R=404]
RewriteRule ^/mw/(CODE_OF_CONDUCT.md|composer.json|composer.local.json-sample|composer.lock|COPYING|CREDITS|docker-compose.yml|FAQ|HISTORY|INSTALL|jsduck.json|LocalSettings.php|README.md|RELEASE-NOTES-1.39|SECURITY|UPGRADE)$ - [L,R=404]
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/>
AddOutputFilter DEFLATE css js ico
</Directory>
ExpiresActive On
ExpiresByType image/jpeg "access plus 5 weeks"
ExpiresByType image/gif "access plus 5 weeks"
ExpiresByType image/png "access plus 5 weeks"
ExpiresByType text/css "access plus 7 days"
ExpiresByType application/x-javascript "access plus 7 days"
ExpiresByType text/javascript "access plus 7 days"
ExpiresByType text/plain "access plus 49 hours"
# special MIME type for icons
AddType image/vnd.microsoft.icon .ico
# now we have icon MIME type, we can use it
# my favicon doesn't change much
ExpiresByType image/vnd.microsoft.icon "access plus 3 months"
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/docs>
Deny from all
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/extensions>
<Files "README">
Require all denied
</Files>
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/images>
RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase]
RewriteRule . - [forbidden]
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/images/deleted>
Deny from all
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/images/temp>
Deny from all
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/includes>
Deny from all
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/languages>
Deny from all
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/maintenance>
Deny from all
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/math>
Deny from all
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/skins/MinervaNeue/dev-scripts/>
Deny from all
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/mw/tests>
Deny from all
</Directory>
<Files ".eslintrc.json">
Require all denied
</Files>
<Files ".gitignore">
Require all denied
</Files>
<Files ".gitreview">
Require all denied
</Files>
<Files ".jshintignore">
Require all denied
</Files>
<Files ".jshintrc">
Require all denied
</Files>
<Files ".stylelintrc">
Require all denied
</Files>
Audit
mediawiki_check.py
#!/usr/bin/python3
import requests
import random
site = 'https://www.cgsecurity.org/mw/'
#site = 'https://wiki.global-sp.net/mw/'
s = requests.session()
headers = {
'Cache-Control': 'no-cache',
'Pragma': 'no-cache'
}
for filename in [
'.eslintrc.json',
'.gitignore',
'.gitreview',
'.jshintignore',
'.jshintrc',
'.stylelintrc',
'cache/',
'CODE_OF_CONDUCT.md',
'composer.json',
'composer.local.json-sample',
'composer.lock',
'COPYING',
'CREDITS',
'docker-compose.yml',
'docs/',
'docs/README',
'docs/Logger.md',
'extensions/',
'extensions/README',
'FAQ',
'HISTORY',
'includes/',
'includes/mime.info',
'includes/widget/AUTHORS.txt',
'images/deleted/index.html',
'images/temp/index.html',
'INSTALL',
'jsduck.json',
'languages/',
'languages/data/plurals-mediawiki.xml',
'languages/i18n/en.json',
'LocalSettings.php',
'maintenance/',
'maintenance/README',
'maintenance/users.sql',
'maintenance/archives/patch-bot.sql',
'README.md',
'RELEASE-NOTES-1.39',
'SECURITY',
'skins/MinervaNeue/dev-scripts/svg_check.sh',
'tests/',
'tests/parser/preprocess/All_system_messages.txt',
'tests/selenium/README.md',
'tests/selenium/specs/user.js',
'UPGRADE',
'vendor/',
]:
url = site + filename
status_code = s.get(url, allow_redirects=False, headers=headers, params={ 'rand': random.randint(1,65535)}).status_code
print(filename.ljust(32), status_code, '✅' if status_code in (403, 404) else '❌')
mediawiki_check.py output
.eslintrc.json 404 ✅
.gitignore 404 ✅
.gitreview 404 ✅
.jshintignore 404 ✅
.jshintrc 404 ✅
.stylelintrc 404 ✅
cache/ 404 ✅
CODE_OF_CONDUCT.md 404 ✅
composer.json 404 ✅
composer.local.json-sample 404 ✅
composer.lock 404 ✅
COPYING 404 ✅
CREDITS 404 ✅
docker-compose.yml 404 ✅
docs/ 403 ✅
docs/README 403 ✅
docs/Logger.md 403 ✅
extensions/ 403 ✅
extensions/README 403 ✅
FAQ 404 ✅
HISTORY 404 ✅
includes/ 403 ✅
includes/mime.info 403 ✅
includes/widget/AUTHORS.txt 403 ✅
images/deleted/index.html 403 ✅
images/temp/index.html 403 ✅
INSTALL 404 ✅
jsduck.json 404 ✅
languages/ 403 ✅
languages/data/plurals-mediawiki.xml 403 ✅
languages/i18n/en.json 403 ✅
LocalSettings.php 404 ✅
maintenance/ 403 ✅
maintenance/README 403 ✅
maintenance/users.sql 403 ✅
maintenance/archives/patch-bot.sql 403 ✅
README.md 404 ✅
RELEASE-NOTES-1.39 404 ✅
SECURITY 404 ✅
skins/MinervaNeue/dev-scripts/svg_check.sh 403 ✅
tests/ 403 ✅
tests/parser/preprocess/All_system_messages.txt 403 ✅
tests/selenium/README.md 403 ✅
tests/selenium/specs/user.js 403 ✅
UPGRADE 404 ✅
vendor/ 404 ✅