Last modified: 2011-10-30 23:18:30 UTC
Special:Version enables people to easily locate unpatched installations of various pieces of system software, specifically PHP, MySQL and MediaWiki extensions. When a new vulnerability is uncovered on a piece of software, all an attacker has to do is search on Google for the version number and a string like "This wiki is powered by MediaWiki" and they'll find a bunch of pages from MediaWiki installs running on unpatched machines. Now, I'm not saying Special:Version isn't useful, and indeed, for the Wikimedia projects, they should definitely be available so the community clustered around noticeboards like VPT on enwiki and similar noticeboards on other wikis can keep track of what extensions and versions are running on different wikis. And I'd hope that Wikipedia and other WMF-hosted wikis would be kept well-patched in a way that other wikis are not. But until other MediaWiki installations become as conscientious at applying updates, it seems like a sensible idea to make it so that Special:Version isn't publicly viewable (sysops, obviously, should be able to see it by default). Then they can change LocalConfiguration.php to make it publicly viewable if they want to take the risk. Even if MediaWiki is perfectly secure and the MediaWiki install has secure passwords, Special:Version potentially helps people exploit other insecure software on the same server.
Special:Version is exempted from search engine indexes already.
