How can I force new user registrations in mediawiki to use alphanumeric passwords?
At the moment they only need letters.
There is not way to edit LocalSettings.php, so I would have to modify the base files, but the question is which one?
Easiest, unless you want to create your own hook to verify the password, is probably to use the SecurePasswords extension (or, possibly, the SafeCreate extension) that will allow you to configure a number of things regarding required complexity of the passwords.
If you really want to create your own hook, the hook you want to create is an isValidPassword hook.
Related
I'm trying to import users credentials from one database schema to another one without users needing to create a new password, So first user table (the one I need to import to the new site) uses sha256+salt(I think) and my new site is using md5+salt (I think) I have access to all files and stuff so I could locate the salt that's being used if I can somehow reverse engineer the sha256 to make it md5?
Is there a way to do this? if so how would I approach it?
an example of the password would be:
old site: e3e922af8a36de975983b075b3bf5336bbb26c8008aa5d9b39aef8d85cb7eb32
new site: $S$Dbj.yBTjHV97QNLHwuoykWxzpNL9bxxFl4b8uoP1u1rJzCyDZb.e
I'll appreciate any input, Thank you!
Update: new site uses base64encode + salt which I know what is, just to be clear I'm not trying to actually be able to see their password in plain text, Can I convert sha256 -> base64encode with some mysql commands or something if I know the salt?
Unless you're prepared to crack their password, no, you can't convert as SHA2-256 hash to an MD5 one. You need to know the content that generated the hash in the first place.
When migrating from one hashing type to another the best plan is to normalize all your password hashes into a consistent form first and the Modular Crypt Format is the most widely supported.
If you can wrangle your old hashes into that form then you should be able to use them with password_verify. You can also update user passwords as they log-in by re-writing them with password_hash which uses Bcrypt by default.
Over time you can stomp out old SHA2-256 and MD5 passwords and limit your exposure.
A client's Joomla 3.6.5 website was hacked. After running a virus scan and malware scan on the entire directory, nothing came up. When I searched for the malicious URLs, they appear in the database, but nowhere in the code of the website files. I'm not sure how to find the hack, or how to clean out the malicious URLs.
(11216,'http://xxxx.com/cache/j.js',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',3,0,'2017-04-14 10:50:38','0000-00-00 00:00:00',301),
(11217,'http://xxxx.com/cache/jq.js',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',3,0,'2017-04-14 10:50:38','0000-00-00 00:00:00',301),
(11218,'http://xxxx.com/cache/layout.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:50:57','0000-00-00 00:00:00',301),
(11219,'http://xxxx.com/cache/ssc.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:52:09','0000-00-00 00:00:00',301),
(11220,'http://xxxx.com/cache/jq.css',NULL,'http://xxxx.com/philosophy-of-life-essay.html','',1,0,'2017-04-14 10:52:09','0000-00-00 00:00:00',301)
Since the malicious URLs are in the database, was the database hacked? How do I remove the malicious URLs and how do I fix the hack? I know I have to change the passwords, but I'm stumped with how to unhack this site. I'm not sure how to clean out a hacked database. Any tips? Thanks!
Q: Since the malicious URLs are in the database, was the database hacked?
A: Not possible to tell with the information provided.
https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
The term "hacked" is very broad. Have credentials been fraudulently obtained? Was the website defaced? Was valid data stolen from the database? Has valid data has been removed or changed? Has new fraudulent data been added?
There are several ways any of those could have happened. One possibility is that database modifications were made through normal operation of the website, by a malicious actor who obtained credentials (login and password) to perform those operations.
Or, a malicious actor could have exploited a vulnerability in the website code. Given the predominance of XSS and SQL Injection vulnerabilities, and the relative ease of exploiting those, this is the most likely scenario. (A lot of website "plugins" are known to be vulnerable.)
Or, some other program connected to the database and performed database operations.
Q: How do I remove the malicious URLs?
A first step would be to restore a copy of the database from a known good backup.
And with a saved copy of the suspect database, we could do a comparison, to help identify data that has been removed, changed or added. (What makes a URL "malicious"? How are you defining that? All we see in the question is what appears to be some rows from a database table. How are these rows more "malicious" than other rows?)
Q: How do I fix the hack? I know I have to change the passwords ...
If an unauthorized actor has obtained login credentials, then yes, you need to change the passwords. And figure out how they obtained the credentials, and take steps to prevent that from happening again.
And close up the vulnerabilities, to prevent that from happening again.
Q: I'm stumped with how to unhack this site. I'm not sure how to clean out a hacked database. Any tips?
Restore the database from a known good backup.
And again, mitigate the vulnerabilities to prevent (or make it less likely) that this will happen again. Cross site scripting (XSS) and SQL Injection are always in the OWASP Top 10.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013
https://www.owasp.org/index.php/SQL_Injection
What you are experiencing is a database hack, which is the worst kind of Joomla hacks.
Reverting to a backup may be a good solution if you are running a semi-static website, however, if your website has new content every day (or had new content since the hack), then you can't revert to a backup without losing data. In this case, you will need to use MySQL's REPLACE function to replace the hacked strings with an empty value.
Once you fix the database hack, you will need to run an internal scan on your website to ensure to find if there are hacked/backdoor files anywhere. Once that is done, you will need to uninstall all the unused extensions, and you will need to uninstall all the extensions that are on Joomla's VEL list. Any extension that you have must be updated to the latest version.
Once you are done with the above, then you will need to do the following:
Change all the passwords of the website: including Joomla passwords, FTP/sFTP, database passwords (avoid using FTP if you can), cPanel passwords, etc...
Restrict Apache's access of PHP files to the 'index.php' file (that can be done in the htaccess file).
Move the website to a VPS or a dedicated server if you are on a share hosting.
This seems to be a pretty bad one! A few tips:
Be sure to check Google blacklisting status & also do a 'fetch as google' to check if there's malware showing up in search results.
It is recommended to find all the external calls from the website to other domains (usually hackers point credit card details to their own domains or emails).
A diff command would go a long way:
$ mkdir joomla-3.6.4
$ cd joomla-3.6.4
$wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz
$ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz
$ diff -r joomla-3.6.4 ./public_html
There are more steps which can be checked from this URL: https://www.getastra.com/blog/cms/joomla-security/joomla-admin-security/
We are planning to use mediawiki as the basis for our products documentation. Access control will be used to grant customers access to content.
We would also like to use mediawiki for some of our internal documentation, stuff that customers should not access.
Is it possible to configure one installation of mediawiki such that one group of users sees certain wiki content and that another group of users sees other wiki content? If so, please point me to the appropriate documentation as I am not even sure what this would be called (thus I am uncertain where to look).
Thank you.
If by one installation you mean one database, it is sort of possible but extremely unwise. See this section of the manual for explanation and Category:Page specific user rights extensions (especially the Lockdown extension) if you decide to try it anyway.
Using the same installation directory (ie. PHP files) but separate databases is fine. The manual page about wiki farms describes a few ways to do it.
If you mean, that you want to restrict the "view" permission for certain pages to a specific group, then the answer is kind of maybe. With the default MediaWiki installation, that is not possible, as MediaWiki is designed to be "open" to all users (as least the view persmission). You can "just" restrict, that a certain group can read or can't read, but this will always mean all pages.
Maybe your problem can be solved by having really two wikis, instead of holding two "sections" in one wiki. For this you would need:
One MediaWiki installation on your file system (unzipping the mediawiki tarball release), e.g. /var/www/html/mediawiki/
Two mysql databases (or you use two database prefixes)
Two different urls (e.g. example.com/wiki1 and example.com/wiki2 or wiki1.example.com and wiki2.example.com)
A bit more complex MediaWiki configuration
Now, you first need to create two virtual hosts in your webserver. Both should point to the installation directory of your mediawiki (/var/www/mediawiki/). In the next step you would need to create a configuration which will be different depending on the wiki requested by the user (depending on what url is used). This is a bit tricky and a mostly undocumented way in MediaWiki, but in fact it's working like this:
You create a wgConf object
You fill this wgConf object with valid wikis (usually you use a unique name, e.g. the dbname)
You let wgConf extract all settings (using the name of the wiki, e.g. the dbname)
This part is more or less documented at the wgConf manual page. The more tricky way is to parse the url correctly and set all the information you need. The Wikimedia foundation uses a script called MultiVersion. This tool does a bit more as just parsing the url to indentify the wiki, but ok. With MultiVersion you would then set the configuration variable wgDBname which you then use to load the wgConf data. For more information, you should ask specific questions and look into the git repository of the Wikimedia foundations configuration. I use a similar approach with just 2 wikis, and a lot smaller MultiVersion (but it's based on the idea of the WMF), so maybe this will help you understand the way to configure wikis, too.
You want, e.g., also make sure, that the wikis are able to create inter-wiki links to link, e.g., a documentation of your public wiki in your internal wiki and vice versa. And you probably want to make sure, that some database tables are shared by one wiki, so your users just need to register once to access both wikis (and set the internal read permission for users to false, so that you have to give access to users ecplicitly). See $wgSharedDB and the manual for shared databases. The configuration of my two wikis uses this feature to share user tables.
and have the changes save straight to the mysql db only requiring an email address to make the change
MediaWiki? It's a PHP app most commonly used with MySQL, and you can configure it to require (only) an email.
When I say "configure" I mean where to save those values that could change very often (constants values like taxes rates or something similar) and then when you need to change them you don't want to re-compile your application.
Where to save those values? Database? XML File? Flat File?
It depends on how often these change and who or what changes them. For some application specific settings, it's best to use an XML or config file, where the developers are the ones responsible for updating it. For other "businessy" values (like exchange rates, tax rates, etc), it's best to keep them in the database and provide a UI for users (not developers) to update.
It also depends on how many apps depend on this value, for example, if several applications depend on some setting (such as email server addres), it's best to put it in a database since it'll be easily accessible from any machine where the app is running.
I use INI files for potentially user-configurable files, and BIN files for data that save session state between runs.
But, it is very dependent upon what type of application you are developing.
it depends on how your app is architecture. you could design your app in such way that you could change the location of you configuration. by just injecting the provider.
Normally I use Ini files or XML if the data is structured.
For applications that already use a database and you don't want to have the user to change the data easily, you can use the database.
I almost never use binary data unless you want to obfuscate the data for the user.
Regardless of app, you're probably going to have at least 3 sources of configuration data:
Command line flags, usually for bootstrapping your run-time environment, e.g, finding config files, setting debug flags, include paths, class paths, etc
Config files, potentially more than one that may override each other. These usually boot strap your application: connection strings, cache settings, build-specific settings, etc
Control data in a database. Things like timezones, conversion rates, stable display values, etc. This data should also be versioned in the database (as in, a "Data Version" field, not living in a version control system). Versioning it will save a lot of headaches when you find you need to change a setting for a new release, but the old release will break if you change it.
Generally, anything that changes at run-time should go in the database. Anything that is sensitive and rarely changing should go into the config files, and any hacks should go on the command line (--[no]enable-bug-287438-hack can be very handy when you need it).
I prefer the simplicity of a flat ini file. Here's an example Setting class that you might find useful.