VaultWiki Security Update: December 2017

As of December 1, 2017, the regularly scheduled security patches for December are now available.

Issue List

VWE-2017-4265 is a Permissions escalation issue, in which users can replace an expired proxy image with a different image by editing different content than the content that contains the proxy image. This issue affects VaultWiki 4.0.1 and higher, except Lite versions.

VWE-2017-4266 is a Denial of Service issue, in which a malicious user can balloon the size of the CSS cache at will. This issue affects VaultWiki 4.0.0 Gamma 7 and higher.

• We detected a similar issue in XenForo 1.x and 2.x and reported the issue to XenForo's developers. The corresponding issue is fixed in XenForo 1.5.16 and 2.0.0, respectively.

VWE-2017-4267 is an Accidental Permissions escalation issue, in which an administrator might be misled by incorrect values in the "Not Set" column while customizing usergroup permissions for a specific area. This issue affects VaultWiki 4.0.12 and higher on XenForo only, but it does not affect VaultWiki Lite.

VWE-2017-4275 is a Legal issue, in which IPTC segments of some PNG files might not be successfully parsed but the PNG file is accepted anyway. Some countries require web sites to preserve IPTC metadata. This issue affects recent patches of VaultWiki 4.x which added support for IPTC metadata, but it does not affect VaultWiki Lite.

VWE-2017-4282 is an Information Disclosure issue, in which attackers may be notified that they have filled available attachment space rather than receiving a generic error. Information Disclosures are treated as security issues starting with VaultWiki 4.0.19; this issue appears in 4.0.19 and higher. This issue does not affect Lite versions.

VWE-2017-4287 is a Denial of Service issue, in which users with certain permissions may be able to replace certain forum nodes with fatal errors, due to a flaw in the integration system. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

Patches

The following patches, issued December 1, 2017, address the aforementioned issues:

• 4.0.20 Patch Level 1
• 4.0.19 Patch Level 4
• 4.0.18 Patch Level 5
• 4.0.17 Patch Level 7
• 4.0.16 Patch Level 8
• 4.0.15 Patch Level 12*

* A patch was issued for 4.0.15 even though it reached its end-of-life in November, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend users upgrade to a more recent patched version.

We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.

Addendum: vBulletin Security Issues

The following issues exist in vBulletin itself, reported by us to vBulletin support over 60 days ago. Since vBulletin has not patched or disclosed the issues since that time, we now do so here:

1. An image decompression bomb vulnerability exists when vBulletin Options > Message Attachment Options > Resize Images = Yes. Disable it to protect your site.
2. An image decompression bomb vulnerability exists when allowing user uploads for avatars and profile pictures. To protect your site, change your forum's permissions so that users cannot upload custom avatars or profile pics.
3. An image decompression bomb vulnerability exists when using ImageMagick for images and allowing uploads. Currently known issues are for PDFs and TIFFs; however, because the filename of the incoming upload is not trustworthy, removing entries from the Attachment Manager or changing Attachment Permissions are not viable options. The following mitigation options exist:
   
   • Change vBulletin Options > Image Settings > Image Processing Library = GD, OR
   • Change your forum's permissions so that no users can upload anything.