MediaWiki LocalSettings Credentials
Detects MediaWiki LocalSettings.php files containing database passwords ($wgDBpassword), secret keys ($wgSecretKey), and upgrade keys ($wgUpgradeKey). These are high-value secrets that grant database and administrative access to a MediaWiki installation. Mirrors Snaffler rule KeepPhpByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: $wgDBpassword, $wgSecretKey, and $wgUpgradeKey are specific MediaWiki PHP variables with no plausible false-positive context outside LocalSettings.php. The hex-constraint on $wgSecretKey (a-f0-9, 16+ chars) further pins the pattern to real secrets rather than documentation examples.
- Jurisdictions
- global
- Regulations
- GDPR, Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security, application-secrets
- Scope
- specific
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
\$wgDBpassword\s*=\s*['"][^'"]{1,}Corroborative evidence keywords
wgDBserver, wgDBname, wgDBuser, MediaWiki, wgSecretKey, LocalSettings, wgSiteName, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential (+40 more)
Proximity: 300 characters
Should match
$wgDBpassword = 'P@ssw0rd_db_secret';— wgDBpassword with single-quoted value$wgDBpassword = "my_database_pass_2024";— wgDBpassword with double-quoted value$wgSecretKey = 'a3f1b2c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2';— wgSecretKey with 64-char hex value$wgUpgradeKey = 'a3f1b2c4d5e6f7';— wgUpgradeKey with short key value$wgDBserver = 'localhost'; $wgDBname = 'my_wiki'; $wgDBpassword = 'WikiP@ss99';— Full LocalSettings block with DB credentials
Should not match
echo 'Remember to set wgDBpassword in LocalSettings.php';— String referencing wgDBpassword as text with no PHP assignment operator$dbPassword = 'admin123';— Generic PHP variable named dbPassword — not a wg-prefixed MediaWiki varwgDBpassword is the configuration key for the database password— Documentation prose mentioning the variable name without any assignment
Known false positives
- MediaWiki documentation and installer scripts that show example LocalSettings.php with placeholder values. Mitigation: Require non-empty, non-placeholder values (min 1 char after quote is already enforced); gate at 75+ with wgDBserver/wgDBname evidence.
- Commented-out or backup LocalSettings.php files left in web roots that contain credentials for decommissioned installations. Mitigation: Still a true positive — decommissioned credentials may still be reused or indicate poor secret hygiene. Treat as finding.