VaultWiki Security Update: December 2016

Since the release of version 4.0.15 last month, our developers have uncovered 5 security-related issues while making various performance improvements for the next release.

The Social Butterfly Vulnerability allows for unauthorized viewing and editing of some wiki pages that are assigned to Social Groups in vBulletin. It affects all prior vBulletin-based versions of VaultWiki 4.x, except Lite versions. It does not affect XenForo.

The Eavesdropper Vulnerability allows for unauthorized viewing of some content that moderators have not approved for public view. It affects all prior versions of VaultWiki 4.x, except Lite versions.

The Opt-Block Vulnerability is a flaw in the email notifications system that results in invalid unsubscription links in emails. This can be considered non-compliance with laws regarding bulk commercial emails and result in emails being flagged as SPAM or, over time, the email server being blacklisted. This issue affects all prior versions of VaultWiki 4.x, including Lite versions. Patches allow invalid links that were already sent to work with additional user input for validation.

An Unconfirmed Vulnerability is a flaw in the email notifications system that sends emails to some users whose email addresses have not been verified. Over time, this can result in the email server being considered for blacklisting. This issue affects all prior versions of VaultWiki 4.x, including Lite versions.

The Restricted Area Vulnerability is a flaw in permissions combination that can result in some customized permissions not being properly revoked. This might allow unauthorized viewing, editing, or other changes to wiki content. This issue affects all VaultWiki 4.0.0 Alpha 6 and higher, except Lite versions.

As of December 22, 2016, the following patches address all five issues:

• 4.0.15 Patch Level 3
• 4.0.14 Patch Level 6
• 4.0.13 Patch Level 6
• 4.0.12 Patch Level 7
• 4.0.11 Patch Level 7
• 4.0.10 Patch Level 8
• 4.0.9 Patch Level 8
• 4.0.8 Patch Level 10

Additional Instructions: After applying one of these patches:

1. Go to the Wiki Admin Panel > Permissions > Usergroups.
2. Edit the Administrators group.
3. Change "Index Permissions" > "Can view the wiki Index?" to a different value.
4. Save.
5. Edit the Administrators group again.
6. Change "Index Permissions" > "Can view the wiki Index?" back to the previous value.
7. Save.

This will remove cached permissions that might have been stored in a vulnerable state from your site's cache.

We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.