As of September 24, 2017, the September security patches, which were previously delayed, are now up-to-date. We had previously released patches for a number of issues while noting other issues that remained unpatched. The newest patches, issued today, correct the remaining issues, as well as some additional issues.
Issue List
VWE-2017-4004 is a minor Permissions Escalation issue (
previously disclosed), in which a user may be able to upload an image with a single dimension exceeding their permissions, so long as the total area of the image can be arranged to fit within the permitted amount. This issue affects all versions of VaultWiki 4.x, except Lite versions.
VWE-2017-4012 is a CAN-SPAM Compliance issue, in which automatic notifications sent by an importer might be sent with compliance information not filled in. The issue affects a number of patches since VaultWiki 4.0.10, VaultWiki 4.0.18 and newer, except Lite versions, and only on XenForo.
VWE-2017-4030 is a Legal issue (
previously disclosed), in which image metadata of uploaded image attachments may have their metadata unintentionally stripped. Many software applications and web sites perform metadata removal by default, but recent court cases have provided precedent that this behavior is illegal in several countries, such as Germany and Australia, as it violates the copyright protections of the original owners of the images. Patches actively attempt to preserve several types of metadata that tend to get lost during image processing, although the focus is in preserving fields that usually contain copyright and ownership-related data. This issue affects all versions of VaultWiki 4.x, except Lite versions. Because of the ongoing legal dubiousness of other attachment systems, we highly recommend using VaultWiki's attachment system over any built-in or add-on attachment systems in your forums, even for non-wiki usage, until such time as they provide patches for this issue.
VWE-2017-4031 is a Permissions Escalation issue, in which pages that have multiple internal types may have Yes-permissions of their lower-importance type overriding the No-permissions of the higher-importance type. This issue affects all versions of VaultWiki 4.x.
VWE-2017-4032 is a Permissions Escalation issue, in which users may be able to upload images that exceed maximum allowed dimensions and/or file size if admin has chosen to store the binary data of uploaded attachments in the database. This issue affects all versions of VaultWiki 4.x, except Lite versions, but only on vBulletin.
VWE-2017-4033 is a Data Loss issue, in which an admin might accidentally remove high-level nodes, and thus contents of those nodes, using the Mass Management Tools delete capability. Patches resolve this issue by removing the ability to delete these types of nodes using this tool. The issue affects VaultWiki 4.0.18 and newer.
VWE-2017-4073 is a Denial of Service issue, in which a crafted response by an external server may be able to consume more memory than is usually allocated to the image proxy. This issue affects VaultWiki 4.0.1 and newer, except Lite versions.
VWE-2017-4075 is a Permissions Escalation issue, in which a malicious user might use a specially crafted image file in order to view thumbnails of any image hosted on the server. The issue affects all versions of VaultWiki 4.x, except Lite versions.
Patches
The following patches, issued September 24, 2017, address the aforementioned issues:
- 4.0.19 Patch Level 2
- 4.0.18 Patch Level 3
- 4.0.17 Patch Level 5
- 4.0.16 Patch Level 6
- 4.0.15 Patch Level 10
We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as they are able.