Today, our developers discovered that a Javascript-injection vulnerability from 2.x and 3.x that was previously thought to be patched was still exploitable in patched versions, and subsequently the 4.x series. This issue affects all versions of 2.x, 3.x, and 4.x, but not VaultWiki Lite.
Today, our developers discovered that an SQL overflow vulnerability from 2.x and 3.x that was previously thought to be patched was still exploitable in patched versions. This can easily be exploited to potentially crash one or more server processes. This issue affects all versions of 2.x and 3.x, but not VaultWiki Lite.
While performing an audit of previous disclosures today, our developers discovered another easily exploitable HTML/Javascript injection vulnerability in the VaultWiki 4.x series when installed against vBulletin 3.x. This issue affects all versions of 4.x under vBulletin 3, including VaultWiki Lite.
Yes, you counted right: that's 4 vulnerabilities.
We have published the following Patch Level releases to resolve the three issues that are relevant to supported releases:
- 4.0.2 Patch Level 2
- 4.0.1 Patch Level 5
- 4.0.0 Patch Level 5
- 4.0.0 RC 5 Patch Level 4
- 4.0.0 RC 4 Patch Level 5
- 4.0.0 RC 3 Patch Level 6
- 4.0.0 RC 2 Patch Level 6
- 4.0.0 RC 1 Patch Level 6
Details
Given certain permissions combinations, it is possible that a non-moderator user may be able to approve edits by any user. When exploited, a user whose edits are normally moderated may be able to change the approval state of his or her own edits. Further, a user whose edits are normally moderated may be able to perform history modifications without needing approval for those changes.Do I Need to Apply This Patch?
The moderation vulnerability has existed in every version of VaultWiki that supports queuing edits by untrusted users for moderation. If you use the moderation queue for any wiki content, you should apply one of these patches.A Javascript-injection vulnerability has existed in every version of VaultWiki that includes the TABLE, DIV, or SPAN BB-Codes. If you have these BB-Codes enabled in your Wiki Code Manager or Syntax Manager, you should apply one of these patches.
An HTML/Javascript-injection vulnerability has existed in every version of VaultWiki 4.x when installed on vBulletin 3. If you run vBulletin 3 and you allow comments in any part of the wiki, you should apply one of these patches.
There are no patches for VaultWiki 3.x or 2.x series, as those versions are long retired.
For users who cannot update to a patched VaultWiki 4.x release, you should:
- Ensure that untrusted users who would normally be moderated only have view permissions within the wiki -- that they cannot post or otherwise modify wiki content, AND
- Ensure that untrusted users who would normally not be moderated do not have any access to the History tab or related actions, AND
- Ensure that TABLE, DIV, and SPAN BB-Codes are not allowed to parse in wiki or non-wiki content via your Wiki Code Manager (2/3.x) or Syntax Manager (4.x).
For users who are using VaultWiki 2.x or 3.x and cannot update to a patched release, in addition to the above, you should:
- Modify the permissions for all usergroups so that no one has permissions to view any kind of Special pages, AND
- Modify the permissions for all usergroups so that no one has permissions to view the History tab.
For users who are using vBulletin 3 and cannot update to a patched release, in addition to the above, you should:
- Modify the permissions of all usergroups so that no untrusted users have permissions to post new comments or edit existing comments.