VaultWiki Security Notice: September 2017

Unfortunately, as of September 9, 2017, the September 2017 security patches for currently supported versions of VaultWiki 4.x are delayed, due to the complexity of issues to be addressed. We expect the patches to be completed this weekend or early this week; however, the following issues which are addressed as part of the patch are already due for disclosure. Please take the outlined steps to secure your installations ahead of the patch releases.

UPDATE 9/13: Patches for a number of the issues below are now available: https://www.vaultwiki.org/articles/216/
UPDATE 9/24: Patches for VWE-2017-4004 are now available: https://www.vaultwiki.org/articles/218/

Partial Issue List

VWE-2017-3978

VWE-2017-3978 is a Remote Code Execution issue that requires a compromised DNS or a compromised remote server that VaultWiki is using as an import source. The issue affects VaultWiki 4.0.0 Beta 6 - 4.0.17, except lite versions. Versions 4.0.0 Beta 5 and earlier, as well as versions 4.0.18 and later, are not affected by this issue.

Workaround: Do not use the importer's $api_path configuration directive while running a vulnerable release.

VWE-2017-3979

VWE-2017-3979 is a Decompression Bomb issue, which can be exploited to create a Denial of Service condition. The issue affects all versions of VaultWiki 4.x, except lite versions.

The workaround involves temporarily disabling affected functions. For versions 4.0.14 and later, perform the following:

1. Set Options > VaultWiki: Content Types > Maximum Disk Usage for All Attachments (MB) = 0. This will reject all new uploads.
2. Set Options > VaultWiki: Miscellaneous > Maximum Disk Usage for All Proxy Images (MB) = 0. This will disable the external image proxy.

After a patch is available and applied, restore these settings to reactivate uploads and proxying.

There is no viable workaround for versions 4.0.13 and earlier. They are no longer supported; update to a more recent version and perform the steps above.

VWE-2017-4004 (update: 9/12)

VWE-2017-4004 is a minor Permissions Escalation issue in which a user may be able to upload an image with a single dimension exceeding their permissions, so long as the total area of the image fits within the permitted amount. This issue affects all versions of VaultWiki 4.x, except lite versions.

Most web software suffers from this issue and it is not generally considered a security issue. For example, the same is possible in standard XenForo or vBulletin; thus, it was also possible in VaultWiki 3.x versions.

If this issue concerns you, you can workaround the issue before a patch is available: go to Content > Attachments, and modify each image type so that the maximum allowed width and maximum allowed height are the same amount.

Notes

Depending on the length of the delay, we may update this notice with information on additional issues. Please keep an eye on this page for updates. When patches are available, we will post a new notice and link from here.

We apologize for the inconvenience that this delay will cause. However, we urge customers to follow the workaround steps outlined above to ensure their sites are secure in the interim.