-
VaultWiki News
by Published on January 18, 2017 11:33 AM
On January 8, 2017, we released VaultWiki 4.0.16. This release contains several feature enhancements and over 200 bug fixes.
Compatibility with PHP 7.1.x
VaultWiki 4.0.16 is the first VaultWiki release that is deemed compatible with the latest public branch of PHP, 7.1.x.
Convert Threads to Wiki Pages [beta]
This release reintroduces, in part, the VaultWiki 3.x ability to move forum threads into the wiki, thereafter treating them as wiki pages.
At the current time, this feature should be considered "beta". It is incomplete, and thus, may only achieve desired results on certain threads.
At the current time, the following information about a thread is moved/converted:
- Thread title, first post content, and open/closed state
- Post edit history of the first post
- Attachments to the first post become wiki attachments
- Thread replies become comments
- Attachments to thread replies
This is a moderator-level feature that uses the forum's existing permissions for threads. You can find the option to perform this function among the standard inline moderation controls in the forum's thread list, or among the thread's management tools when viewing a thread.
Closing Discussions
With 4.0.16, it is now possible to close discussions and prevent further comments. This can be done on an individual basis per discussion or at the page level to prevent all discussion on that page.
Tabs for More Content-Types
It is now easier to manage synonyms for Feeds and Special Pages; nodes of these types now provide a Synonyms tab.
It is now easier to rename Special Pages; they now provide an Edit tab. The tab also allows Special Pages to use a different prefix than the default Special prefix and to set custom page icons.
Improved Usage Lists
Previously, if a page had a high number of categories, feeds, or translations, only a handful were ever displayed to visitors, while the rest were cut off. Now, a "More..." link is provided, which directs the user to a paginated list of all categories, feeds, or translations, respectively.
Paginated lists have also been implemented in templates and attachments, for Pages Using This Resource. For templates, the list will display a notice above pages that were last edited prior to the template's last edit. In this way, if there were major changes to the template, it is easier to determine which pages may need to be updated.
Release Notes
The current release is VaultWiki 4.0.16, which should be usable on vBulletin-based and XenForo-based production sites.by Published on December 22, 2016 4:18 PM
Since the release of version 4.0.15 last month, our developers have uncovered 5 security-related issues while making various performance improvements for the next release.
The Social Butterfly Vulnerability allows for unauthorized viewing and editing of some wiki pages that are assigned to Social Groups in vBulletin. It affects all prior vBulletin-based versions of VaultWiki 4.x, except Lite versions. It does not affect XenForo.
The Eavesdropper Vulnerability allows for unauthorized viewing of some content that moderators have not approved for public view. It affects all prior versions of VaultWiki 4.x, except Lite versions.
The Opt-Block Vulnerability is a flaw in the email notifications system that results in invalid unsubscription links in emails. This can be considered non-compliance with laws regarding bulk commercial emails and result in emails being flagged as SPAM or, over time, the email server being blacklisted. This issue affects all prior versions of VaultWiki 4.x, including Lite versions. Patches allow invalid links that were already sent to work with additional user input for validation.
An Unconfirmed Vulnerability is a flaw in the email notifications system that sends emails to some users whose email addresses have not been verified. Over time, this can result in the email server being considered for blacklisting. This issue affects all prior versions of VaultWiki 4.x, including Lite versions.
The Restricted Area Vulnerability is a flaw in permissions combination that can result in some customized permissions not being properly revoked. This might allow unauthorized viewing, editing, or other changes to wiki content. This issue affects all VaultWiki 4.0.0 Alpha 6 and higher, except Lite versions.
As of December 22, 2016, the following patches address all five issues:
- 4.0.15 Patch Level 3
- 4.0.14 Patch Level 6
- 4.0.13 Patch Level 6
- 4.0.12 Patch Level 7
- 4.0.11 Patch Level 7
- 4.0.10 Patch Level 8
- 4.0.9 Patch Level 8
- 4.0.8 Patch Level 10
Additional Instructions: After applying one of these patches:
- Go to the Wiki Admin Panel > Permissions > Usergroups.
- Edit the Administrators group.
- Change "Index Permissions" > "Can view the wiki Index?" to a different value.
- Save.
- Edit the Administrators group again.
- Change "Index Permissions" > "Can view the wiki Index?" back to the previous value.
- Save.
This will remove cached permissions that might have been stored in a vulnerable state from your site's cache.
We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.by Published on November 23, 2016 11:59 AM
As of November 8, 2016, VaultWiki 4.0.15 was released to license holders. This version includes some minor feature enhancements, performance improvements, and over 90 bug fixes.
4K Support
VaultWiki 4.0.15 is the first version to contain built-in support for high-density displays, such as 4K monitors and retina devices. Both the wiki's attachment system as well as its image proxy will now automatically generate thumbnails for these devices, if enabled, and will serve the appropriate version for each device.
Removal of Some Hard Limits
In earlier versions, there were various issues when an individual page appeared in over 200 categories, had over 200 translations, or reached similar limits in other features. As of 4.0.15, the maximum supported number of categories and translations per page is now effectively unlimited.
However, while some improvements were made to books, limitations are still in effect regarding maximum supported book chapters. This will be addressed in a future release.
Release Notes
The current release is VaultWiki 4.0.15, which should be usable on vBulletin-based and XenForo-based production sites.by Published on November 16, 2016 6:24 PM
Earlier this week, a user reported an issue that was discovered during a security audit of the user's server. The audit uncovered a Local File Inclusion vulnerability in some VaultWiki files, which could be used by an attacker to read sensitive data stored on the file system. In PHP versions prior to 5.3.3, it was also possible to perform Remote Code Execution using the same vulnerability. However, there was no evidence that this vulnerability had ever been exploited.
VerQuatch Vulnerability affects all prior versions of VaultWiki 4.x, including VaultWiki Lite. It is possible to exploit whether VaultWiki is enabled or disabled in your site's Add-On/Product Manager.
On November 15, 2016, we released the following patches to address this issue:
- 4.0.15 Patch Level 1
- 4.0.14 Patch Level 4
- 4.0.13 Patch Level 4
- 4.0.12 Patch Level 5
- 4.0.11 Patch Level 5
- 4.0.10 Patch Level 6
- 4.0.9 Patch Level 6
- 4.0.8 Patch Level 8
We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.
Please note that this patch increases VaultWiki's minimum required PHP version to 5.3.3.
Additional Steps
While there is no evidence of exploitation of this vulnerability at this time, it has allowed attackers to potentially read the contents of any file that was also readable by your PHP user. After patching, please ensure that any other sensitive data that may be stored on your file system is secure. Some example measures include:
- Change the MySQL password for your installation.
- If using vBulletin, and if your forum is configured to cache the datastore as files (see includes/config.php), then change the SMTP password for your forum's SMTP sender address.
- If your site uses SSL, regenerate your private key and certificates.
by Published on November 3, 2016 5:00 PM
Earlier this week, during investigations of a customer's bug report, our developers discovered that, although there was no evidence that anyone had done so, the bug could be leveraged to perform an SQL injection attack against the wiki.
This vulnerability, dubbed Color-by-Numbers, can be used to read sensitive information from the database, such as the password hashes of arbitrary users.
This issue affects all versions of VaultWiki since 4.0.6, except Lite versions.
On November 1, we released the following patches to address this issue:
- 4.0.14 Patch Level 3
- 4.0.13 Patch Level 3
- 4.0.12 Patch Level 4
- 4.0.11 Patch Level 4
- 4.0.10 Patch Level 5
- 4.0.9 Patch Level 5
- 4.0.8 Patch Level 7
We strongly recommend that all users running VaultWiki 4.0.6 or higher in a production environment update to a patched release as soon as possible.by Published on October 20, 2016 10:35 AM
Last week, while debugging other issues, our developers discovered that it had been possible to circumvent several of the previous patches from August, specifically VaultWiki 4.0.8 Patch Level 5 - 4.0.13 Patch Level 1, that were intended to prevent Server-Side Request Forgery, if a malicious user were to use specially crafted URLs. This issue does not affect Lite versions.
At the same time, our developers noticed a flaw that could make it easier for malicious users to launch a denial of service attack by submitting invalid URLs. This issue affects all versions of VaultWiki since 4.0.1, except Lite versions.
Earlier this week, a customer reported that large portions of their wiki were going offline whenever certain user actions were performed on a single wiki page. Since this could be leveraged by as few as one malicious user to keep all or most of a wiki offline, it is being treated as a Denial of Service vulnerability. While the flaw exists in earlier versions, it was not possible to exploit until a related bug was fixed in 4.0.14. Thus, this issue only affects 4.0.14 and its Patch Level 1, but does not affect Lite versions.
These issues are referred to as RE:Vulnerabilidad de Las Plagas, VaporPic, and Soul Sealer respectively.
Today, we have released the following patches to address all three:
- 4.0.14 Patch Level 2
The following patches address the remaining issues (where applicable), and have been available since last week:
- 4.0.13 Patch Level 2
- 4.0.12 Patch Level 3
- 4.0.11 Patch Level 3
- 4.0.10 Patch Level 4
- 4.0.9 Patch Level 4
- 4.0.8 Patch Level 6
- 4.0.7 Patch Level 7
We strongly recommend that all users running VaultWiki 4.0.1 or higher in a production environment update to a patched release as soon as possible.by Published on September 19, 2016 2:05 PM
Today, VaultWiki 4.0.14 is now available. This version includes some minor feature enhancements, performance and style improvements, and over 90 bug fixes.
Most notably, this release fixes an issue with the install and upgrade system's Manual Mode, which had been the cause of many previously unexplained issues. If you have used Manual Mode in the past and have noticed unusual problems in your wiki, then you may wish to review this issue list to determine if you need to take any action towards correcting your installation.
Filter Content Lists By Content Type
For areas, categories, and other nodes that contain pages of more than one content-type, such as anonymous pages, book chapters, or synonyms, it is now possible to use the content list's sorting tools to only show the types a user wants to see. A default filter can be set for each area.
Auto-Link to Other Prefixes
A new setting has been added to each forum and wiki area that allows admins to select what wiki prefix will be searched for auto-links. This allows admins to override the previous behaviors: for forums, the default behavior was to auto-link to pages that have no prefix; for areas, the default behavior was to auto-link to pages that share their prefix with the currently viewed wiki page.
Release Notes
The current release is VaultWiki 4.0.14, which should be usable on vBulletin-based and XenForo-based production sites.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
By continuing to use this site, you are consenting to our use of cookies.