VaultWiki - Wiki for Forum Communities

VaultWiki 4.0.3, PCRE Backtrack Vulnerability (+1 more)
by
pegasus

View Profile

View Forum Posts

View Blog Entries

Visit Homepage

View Articles
Published on April 16, 2015 11:16 AM

2 Comments
VaultWiki 4.0.3 is now available to all licensed customers. This is a maintenance release with a small handful of improvements and bug fixes.

This release contains an updated SSL certificate so that the Admin Panel can continue to make secure connections to vaultwiki.org when retrieving information about product updates. A valid certificate ensures that your server is actually talking to the real vaultwiki.org site when making these connections.

PCRE Backtrack Vulnerability
4.0.3 includes improvements when dealing with extremely large strings of text, such as articles with 500,000 characters. These changes workaround a potential security issue involving PCRE, where extremely long strings of text might prevent PCRE from functioning correctly and thus potentially malicious content might not be cleaned.

Since the best fix involved changes to the way VaultWiki handles text at a rudimentary level, this issue is ONLY PATCHED BY 4.0.3.

This vulnerability affects all versions of VaultWiki 2.x, 3.x, and 4.x, including VaultWiki Lite.

If you cannot upgrade to 4.0.3 to resolve this issue, then you should take the following precautions:
- Learn what your PHP installation's configuration value is for pcre.backtrack_limit. This might appear in your php.ini file. If this does not appear in that file, the default value is as follows:
  - For PHP 5.3.8 and higher: the value is 1,000,000
  - For PHP 5.3.7 and lower: the value is 100,000
- Check the following VaultWiki settings:
  - VaultWiki: Content Types > Maximum Characters in Page Content
  - VaultWiki: Content Types > Maximum Characters in Discussion Comments
- Make sure that the values of each setting is set to a lower amount than your pcre.backtrack_limit. If one of the settings is higher, you should lower it to maintain the security of your installation, or increase pcre.backtrack_limit to a value higher than each setting.
- Check your Special:LongPages page for existing pages that are longer than pcre.backtrack_limit.
- These pages remain a vector for attack while they are longer than this limit. You must shorten these pages.
Mirror-Injection Vulnerability
On vBulletin installations, VaultWiki versions 4.0.1-4.0.2 contain a potential HTML/Javascript injection vulnerability that we are naming the "Mirror-Injection Vulnerability."

This issue only affects VaultWiki versions 4.0.1 - 4.0.2 Patch Level 2, including VaultWiki Lite. This issue does NOT affect XenForo-based installations of those versions.

Thus, we have also issued the following Patch Level releases:
- 4.0.2 Patch Level 3
- 4.0.1 Patch Level 6
Release Notes
The current release is VaultWiki 4.0.3, which should be usable on vBulletin-based and XenForo-based production sites.
2 Comments
hollosch - April 16, 2015

Reply

Where can i find the changelog for 4.0.3 ?

pegasus - April 16, 2015

Reply

Since I notice they've started getting buried this week, I've added links for both in the manual section:

Changes Between Releases (for translations, custom styles, etc)
Changelog (just a list of bugs that were fixed)
Oops!

Cancel Changes

All times are GMT -4. The time now is 1:28 PM.

This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Learn more… Accept Remind me later

Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

VaultWiki 4.0.3, PCRE Backtrack Vulnerability (+1 more)

PCRE Backtrack Vulnerability

Mirror-Injection Vulnerability

Release Notes

Oops!