This release contains an updated SSL certificate so that the Admin Panel can continue to make secure connections to vaultwiki.org when retrieving information about product updates. A valid certificate ensures that your server is actually talking to the real vaultwiki.org site when making these connections.
PCRE Backtrack Vulnerability
4.0.3 includes improvements when dealing with extremely large strings of text, such as articles with 500,000 characters. These changes workaround a potential security issue involving PCRE, where extremely long strings of text might prevent PCRE from functioning correctly and thus potentially malicious content might not be cleaned.Since the best fix involved changes to the way VaultWiki handles text at a rudimentary level, this issue is ONLY PATCHED BY 4.0.3.
This vulnerability affects all versions of VaultWiki 2.x, 3.x, and 4.x, including VaultWiki Lite.
If you cannot upgrade to 4.0.3 to resolve this issue, then you should take the following precautions:
- Learn what your PHP installation's configuration value is for pcre.backtrack_limit. This might appear in your php.ini file. If this does not appear in that file, the default value is as follows:
- For PHP 5.3.8 and higher: the value is 1,000,000
- For PHP 5.3.7 and lower: the value is 100,000
- Check the following VaultWiki settings:
- VaultWiki: Content Types > Maximum Characters in Page Content
- VaultWiki: Content Types > Maximum Characters in Discussion Comments
- Make sure that the values of each setting is set to a lower amount than your pcre.backtrack_limit. If one of the settings is higher, you should lower it to maintain the security of your installation, or increase pcre.backtrack_limit to a value higher than each setting.
- Check your Special:LongPages page for existing pages that are longer than pcre.backtrack_limit.
- These pages remain a vector for attack while they are longer than this limit. You must shorten these pages.
Mirror-Injection Vulnerability
On vBulletin installations, VaultWiki versions 4.0.1-4.0.2 contain a potential HTML/Javascript injection vulnerability that we are naming the "Mirror-Injection Vulnerability."This issue only affects VaultWiki versions 4.0.1 - 4.0.2 Patch Level 2, including VaultWiki Lite. This issue does NOT affect XenForo-based installations of those versions.
Thus, we have also issued the following Patch Level releases:
- 4.0.2 Patch Level 3
- 4.0.1 Patch Level 6
Oops!