VaultWiki News

As of May 16, 2018, the regularly scheduled security patches for March are now available.

Issue List

VWE-2018-4535 is a Permissions Escalation issue, in which users may be able to use prefixes that are not allowed by the current wiki area, if the area allows a different prefix with an overlapping name. The issue affects all previous versions of the VaultWiki 4.x series, but does not affect Lite versions.

VWE-2018-4536 is a Denial of Service issue, in which an attack may queue enough counter increments that attempting to resolve the increment queue can fail. The issue affects all previous versions of the VaultWiki 4.x series.

Patches

The following patches, issued May 16, 2018, address the aforementioned issues:

• 4.0.22 Patch Level 1
• 4.0.21 Patch Level 2
• 4.0.20 Patch Level 5
• 4.0.19 Patch Level 8
• 4.0.18 Patch Level 9

We recommend that all users running VaultWiki in a production environment update to a patched release.

As of this past weekend, VaultWiki 4.0.22 is now available. This is primarily a maintenance release, containing over 20 bug fixes and other minor improvements.

For a list of changes in this release, please see the Changelog for 4.0.22. If you are a style or language pack maintainer, please check here for changes which may affect you.

Release Notes

The current release is VaultWiki 4.0.22, which should be usable on vBulletin-based and XenForo-based production sites.

As of March 16, 2018, the regularly scheduled security patches for March are now available.

Issue List

VWE-2018-4394 is a Permissions Escalation issue, in which users may be able to create certain wiki page-types without permission, as long as the user has permission to create normal pages. The issue affects all previous versions of the VaultWiki 4.x series, but does not affect Lite versions.

VWE-2018-4471 is a Race Condition issue, in which it is possible to run the same deferred task multiple times, leading to data de-synchronization, superfluous emails to users, and/or other problems which may occur in third-party tasks. The issue affects VaultWiki 4.0.0 Beta 6 and higher.

VWE-2018-4485 is a Permissions Escalation issue, where users may be able to view the titles of content in a Similar Content block, without permission to view that content, by leveraging the WIDGET BB-Code. It occurs in patches for VWE-2017-4318 and later versions, but does not affect the Lite version.

Patches

The following patches, issued March 16, 2018, address the aforementioned issues:

• 4.0.21 Patch Level 1
• 4.0.20 Patch Level 4
• 4.0.19 Patch Level 7
• 4.0.18 Patch Level 8
• 4.0.17 Patch Level 10*

*A patch was issued for 4.0.17 even though it reached its end of life earlier this March, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.

We highly recommend that all users running VaultWiki in a production environment update to a patched release.

As of February 14, 2018, we were pleased to release VaultWiki 4.0.21, now available for our licensed customers to download. This is primarily a maintenance release, containing over 80 bug fixes, style tweaks, and other minor improvements.

For a list of changes in this release, please see the Changelog for 4.0.21. If you are a style or language pack maintainer, please check here for changes which may affect you.

Release Notes

The current release is VaultWiki 4.0.21, which should be usable on vBulletin-based and XenForo-based production sites.

As of February 9, 2018, the regularly scheduled security patches for February are now available.

Issue List

VWE-2018-4336 is a Permissions Escalation issue in environments using a theoretical third-party add-on or custom BB-Code, in which it may be possible to parse unprivileged legacy wiki syntax within a privileged context. In vBulletin, the issue affects all versions of VaultWiki 2.x starting from 2.2.0, and all versions of the 3.x and 4.x series. In XenForo, the issue affects all versions of VaultWiki prior to 4.0.7 that were not already patched for VWE-2015-1601. Lite versions are not affected.

VWE-2018-4337 is a Denial of Service issue, in which an unprivileged user may be able to prevent future edits, comments, and/or other changes to desired wiki pages by abusing the personal feed system. The issue affects VaultWiki 4.0.0 and higher.

VWE-2018-4345 is a Denial of Service issue, in which a limitation added by the patch for VWE-2017-4266 is not enforced. However, due to a bug in the previous patch, denial of service is only possible to achieve via theoretical third-party add-ons which fix the bug.

VWE-2018-4346 is a Denial of Service and Amplification issue, in which the image proxy cache may enter a state where it constantly reprimes, or in which large numbers of cache images may be corrupted. The issue affects VaultWiki 4.0.1 and higher, except Lite versions.

VWE-2018-4347 is a Denial of Service Amplification issue, in which blocking may occur during CSS processing when the patch for VWE-2017-4266 is not applied, or if a theoretical third-party add-on fixes the bug introduced by that patch; in such cases, a well-timed, distributed attack may be able to achieve site-wide denial of service. The issue exists in VaultWiki 4.0.19 and higher.

VWE-2018-4348 is a Permissions Escalation issue, in which a theoretical third-party add-on can be leveraged to indirectly modify different wiki content than the add-on is designed to modify. The issue exists in all versions of the VaultWiki 4.x series.

VWE-2018-4350 is a Permissions Escalation issue, in which a user without permission to remove synonyms from a wiki page may be able to remove those synonyms indirectly by removing a specific, otherwise unrelated, wiki page that the user does have permission to remove. The issue exists in VaultWiki 4.0.16 and higher.

VWE-2018-4352 is a Denial of Service issue, in which an unprivileged user may be able to make certain wiki pages "disappear" via moderated edits, rollbacks, and some other actions. The issue affects all VaultWiki 2.2.3 variants, and all versions of the 4.x series.

VWE-2018-4356 is a Denial of Service issue, in which moderators may be prevented from deleting undesirable wiki content, due to abuse of that content's child content and other relations. The issue affects all versions of VaultWiki 4.x series. Note, however, that default installations of vBulletin and XenForo 1.x without VaultWiki share similar problems, but those developers do not address it as a security issue.

Patches

The following patches, issued February 8, 2018, address the aforementioned issues:

• 4.0.20 Patch Level 3
• 4.0.19 Patch Level 6
• 4.0.18 Patch Level 7
• 4.0.17 Patch Level 9

We highly recommend that all users running VaultWiki in a production environment update to a patched release.

As of January 10, 2018, the regularly scheduled security patches for January are now available.

Issue List

VWE-2017-4317 is a Permissions escalation issue, in which users may be able to see some thread titles in output from the WIDGET BB-Code, even though the users may otherwise not be allowed to view those same threads. The issue affects VaultWiki 4.0.0 RC 3 and later, except Lite versions, on XenForo-based forums only.

VWE-2017-4318 is a Permissions escalation issue, in which users may be able to see some cache contents of output from the WIDGET BB-Code, even though the users may otherwise not be allowed to view the same contents. The issue affects VaultWiki 4.0.0 RC 3 and later, except Lite versions.

VWE-2017-4319 is a Permissions escalation issue, in which users may be able to see some cache contents of the Similar Content sidebar block, even though the users may otherwise not be allowed to view the same contents. The issue affects all versions of VaultWiki 4.x series, except Lite versions.

VWE-2017-4320 is a Permissions escalation issue, in which users may be able to circumvent certain limitations that are enforced on wiki books. If the escalation is performed enough times on a single book, a Denial of Service condition can be created on pages that reference the book. The issue affects VaultWiki 4.0.4 and later, except Lite versions.

VWE-2017-4325 is a Permissions escalation issue, in which users may be able to see wiki page titles in Find New Wiki Updates, even though the users may otherwise not be allowed to view the same wiki pages. The issue affects VaultWiki 4.0.4 and later, on XenForo-based forums only.

VWE-2017-4326 is a design flaw that could lead to Permissions escalation or Data Loss in third-party add-ons that rely on VaultWiki's vw_Fetch_Controller::get_by_route function. The issue affects VaultWiki 4.0.16 and later.

Patches

The following patches, issued January 10, 2018, address the aforementioned issues:

• 4.0.20 Patch Level 2
• 4.0.19 Patch Level 5
• 4.0.18 Patch Level 6
• 4.0.17 Patch Level 8
• 4.0.16 Patch Level 9*

* A patch was issued for 4.0.16 even though it reached its end of life earlier this January, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.

We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.