VaultWiki News

VaultWiki 4.0.19 is available as of August 6, 2017. This is primarily a maintenance release, including over 70 bug fixes and over 25 style tweaks.

Release Notes

The current release is VaultWiki 4.0.19, which should be usabled on vBulletin-based and XenForo-based production sites.

On May 30, 2017, we released VaultWiki 4.0.18. The release includes several new features, as well as over 80 bug fixes.

Form-Based Importer Configuration

In prior versions, importing content from other software into VaultWiki required editing a configuration file directly, and trusted the values that were entered to be correct. This was not user-friendly, and it was prone to errors, as users could easily overlook or misenter some values.

Starting with 4.0.18, users now configure the importer via web-based form inputs. Fields have user-friendly names and descriptions, so that it is clearer what information should be entered. Further, the information that is entered is now tested first to make sure the information is correct, before attempting an import.

In addition, the web-based configuration now allows for storage of multiple importer sessions, so administrators can continue a specific import later if needed.

Mass Search and Replace

The Admin Panel now offers a section called Mass Management Tools. This allows administrators to use search criteria to find and select large numbers of wiki pages to be deleted or edited. The provides a method for massive search-and-replace of undesired text, adding templates to multiple pages at once, and more.

Release Notes

The current release is VaultWiki 4.0.18, which should be usabled on vBulletin-based and XenForo-based production sites.

As of May 16, 2017, we have released the May security patches for currently supported versions of VaultWiki 4.x.

Issue List

VWE-2017-3733 is a Permissions Escalation issue involving wiki attachment permissions. Exploiting the issue usually requires collusion between the uploading user and the downloading users, in order to share files that are otherwise not allowed. The issue affects all versions of the VaultWiki 4.x series, expect Lite versions.

VWE-2017-3734 is primarily a Phishing issue, which makes it easier for users to insert links to external web sites that intend to steal the victim's login information; the issue involves a reduced likelihood that the victim would notice that they have navigated to a different web site. The issue affects all versions of the VaultWiki 3.x and 4.x series.

Patches

The following patches address the aforementioned issues:

• 4.0.17 Patch Level 2
• 4.0.16 Patch Level 3
• 4.0.15 Patch Level 7
• 4.0.14 Patch Level 10
• 4.0.13 Patch Level 10
• 4.0.12 Patch Level 11
• 4.0.11 Patch Level 11

We highly recommend that all users running VaultWiki in a production environment update to a patched release as soon as possible.

Today marks the availability of the March 2017 security patches for currently supported versions of VaultWiki 4.x, our first such regularly-scheduled release.

Issue List

VWE-2017-3677 is a Subscription Management Flaw that affects the following users who were created while VaultWiki was installed: (1) Users who registered while the VaultWiki add-on was disabled; and (2) Users who were imported into XenForo from another forum. Both sets of users were unable to change their default preferences regarding new wiki subscriptions. The issue affects all versions of the VaultWiki 4.x series.

VWE-2017-3679 is a Denial of Service Amplification issue involving specific syntax nesting combinations when using MediaWiki syntax support. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2017-3682 is a CAN-SPAM Non-compliance issue involving some wiki subscriptions that were imported into VaultWiki from another installation that was running VaultWiki 4.0.16 or higher. The affected subscriptions would never send valid unsubscribe links. The issue affects all versions of the VaultWiki 4.x series, except Lite versions; however, imports from Lite versions may also be affected. If your import was already affected, please follow the instructions in the issue disclosure.

VWE-2017-3683 is a Subscription Management Flaw that occurs when adding a comment to a wiki discussion. The user's default wiki subscription preference was taking precedence over the user's form selection. It was a regression of the fix for VWE-2017-3428. It affects VaultWiki 4.0.17 build 001 only.

VWE-2017-3684 is a Denial of Service Amplification issue in Synonyms management. It affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2017-3686 is a Permissions Escalation issue involving users who were granted permission to delete wiki content but whose permissions also require moderation for new content and new edits. Certain changes by these users were being accepted before a moderator had a chance to review them. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2017-3687 is a CAN-SPAM Non-compliance issue involving email subscriptions imported into VaultWiki from another installation running the VaultWiki 4.x series. Unsubscribe links sent within the past 30 days were not honored. The issue affects all versions of the VaultWiki 4.x series, except Lite versions; however, imports from Lite versions may also be affected. If your import was already affected, please follow the instructions in the issue disclosure.

Patches

The following patches, released March 30, 2017, address the aforementioned issues:

• 4.0.17 Patch Level 1
• 4.0.16 Patch Level 2
• 4.0.15 Patch Level 6
• 4.0.14 Patch Level 9
• 4.0.13 Patch Level 9
• 4.0.12 Patch Level 10
• 4.0.11 Patch Level 10
• 4.0.10 Patch Level 11

We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.

On February 28, 2017, we released VaultWiki 4.0.17. The release contains several feature enhancements and over 100 bug fixes.

Create Content from Wiki Index

In previous versions of VaultWiki, it was necessary to drill down to a relevant wiki area to find a button for creating new wiki pages. In 4.0.17, these buttons are now also available on the wiki index page; users can select the target area from within the editor view.

Release Notes

The current release is VaultWiki 4.0.17, which should be usable on vBulletin-based and XenForo-based production sites.

Since the release of 4.0.16 last month, we have uncovered a handful of security issues while making improvements to related features.

Note: This notice discusses patches that were released on February 17, 2017. If you have upgraded or installed since that date, you do not need to take any action.

Issue List

VWE-2017-3388 is a CAN-SPAM Non-compliance issue that affects wiki moderator notifications. It affects all prior versions of the VaultWiki 4.x series.

VWE-2017-3396 is a Subscription Management Flaw that affects a user's ability to manage feed subscriptions via the user's list of wiki subscriptions. It affects VaultWiki 4.0.0 and higher.

VWE-2017-3407 is a Subscription Management Flaw that affects a user's ability to manage subscriptions for certain content, where an administrator has revoked their access to that content since they subscribed. It affects all versions of the VaultWiki 4.x series.

VWE-2017-3415 is a CAN-SPAM Non-compliance issue involving threads that have been moved into the wiki. Unsubscribe links issued within the past 30 days while the content was still a thread are non-functional after the content was moved, yet the user is still subscribed at the new location. Patched versions prevent newly moved threads from having their subscriptions also moved; users will need to re-subscribe. This issue affects VaultWiki 4.0.16.

VWE-2017-3428 is a Subscription Management Flaw that affects a user's ability to prevent their default subscription preference while posting new wiki comments. It affects all versions of the VaultWiki 4.x series.

VWE-2017-3436 is a CAN-SPAM Non-compliance issue involving failure to parse some otherwise valid unsubscribe links. It affects VaultWiki 4.0.16.

VWE-2017-3437 is a Denial-of-Service Amplification issue involving thumbnail requests. It affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2017-3445 is a Denial of Service issue that can cause specified wiki pages to no longer have new edits successfully applied. It affects VaultWiki 4.0.0 and higher.

Patches

The following patches, released February 17, 2017, address the aforementioned issues:

• 4.0.16 Patch Level 1
• 4.0.15 Patch Level 5
• 4.0.14 Patch Level 8
• 4.0.13 Patch Level 8
• 4.0.12 Patch Level 9
• 4.0.11 Patch Level 9
• 4.0.10 Patch Level 10
• 4.0.9 Patch Level 10

We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.

Policy Updates

Prior to this notice, it was customary for us to give each vulnerability a unique name, such as File Blueprint Vulnerability. However, as our database has grown, it has become difficult to continue selecting names with any sort of meaning. Additionally, whenever review of certain issues was necessary later, it was difficult to do based on the name alone. Thus, we have converted our vulnerability database to use IDs that are more meaningful to our internal tracking systems.

While previously it was customary to issue a Patch Level release immediately -- within 1 to 2 days of a security issue being fixed internally -- in many cases, this has made it difficult for users to keep up with patches as they become available, has resulted in rapid growth of our database as older patches become superceded, and has caused many development hours to be lost to frequent patch issuance procedures. In December 2015, the License Agreement established that up to 30 days was permitted between an issue's discovery and a patch; thus, beginning with this most recent set of patches, we will beginning limiting patches to one (1) per calendar month, except as required to satisfy the 30-day rule or to mitigate an actively exploited issue.