MediaWiki
MediaWikicms4 credentials
User Password Hash
mediawiki / user-password-hash
MediaWiki stores local user password hashes in its database for wiki logins unless external authentication replaces local auth.
Location
MediaWiki user/authentication tables containing password hash data
MediaWiki login, API login, and web sessionsdatabase dumps and wiki backups
Bot Password
mediawiki / bot-password
MediaWiki bot passwords let users create limited credentials for bots and API clients without using the main account password.
Location
bot password tables and associated grants/restrictions
bot scripts, Pywikibot config, .netrc, and CI variables
MEDIAWIKI_BOT_USERNAME, MEDIAWIKI_BOT_PASSWORDCI/CD variables and bot credential vaults
bot repositories and test configs
bot framework debug logs and API traces
API CSRF / OAuth Token
mediawiki / api-csrf-oauth-token
MediaWiki API workflows use CSRF/edit tokens and OAuth consumer secrets/access tokens for authenticated edits and integrations.
Location
AuthorizationOAuth or bearer token used by API clients
OAuth consumer and access token tables
bot configs, OAuth client configs, and integration scripts
bot vaults and CI/CD secrets
API debug logs and HTTP traces
LocalSettings Secret Key and Database Password
mediawiki / wg-secret-key-and-db-password
MediaWiki LocalSettings.php contains $wgSecretKey and database credentials used for sessions, tokens, upgrades, and runtime database access.
Looks like
pattern\$wgSecretKey\s*=\s*[\'\"][^\'\"]+[\'\"]\s*;\$wgDBpassword\s*=\s*[\'\"][^\'\"]+[\'\"]\s*;Location
LocalSettings.phpwiki secret key, database credentials, and extension secrets
Kubernetes Secrets, Docker secrets, and deployment vaults
committed LocalSettings.php copies and extension configs
site backups and support bundles
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.