VerQuatch Vulnerability affects all prior versions of VaultWiki 4.x, including VaultWiki Lite. It is possible to exploit whether VaultWiki is enabled or disabled in your site's Add-On/Product Manager.
On November 15, 2016, we released the following patches to address this issue:
- 4.0.15 Patch Level 1
- 4.0.14 Patch Level 4
- 4.0.13 Patch Level 4
- 4.0.12 Patch Level 5
- 4.0.11 Patch Level 5
- 4.0.10 Patch Level 6
- 4.0.9 Patch Level 6
- 4.0.8 Patch Level 8
We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.
Please note that this patch increases VaultWiki's minimum required PHP version to 5.3.3.
Additional Steps
While there is no evidence of exploitation of this vulnerability at this time, it has allowed attackers to potentially read the contents of any file that was also readable by your PHP user. After patching, please ensure that any other sensitive data that may be stored on your file system is secure. Some example measures include:- Change the MySQL password for your installation.
- If using vBulletin, and if your forum is configured to cache the datastore as files (see includes/config.php), then change the SMTP password for your forum's SMTP sender address.
- If your site uses SSL, regenerate your private key and certificates.