pegasus
by Published on September 9, 2017 10:40 AM
Unfortunately, as of September 9, 2017, the September 2017 security patches for currently supported versions of VaultWiki 4.x are delayed, due to the complexity of issues to be addressed. We expect the patches to be completed this weekend or early this week; however, the following issues which are addressed as part of the patch are already due for disclosure. Please take the outlined steps to secure your installations ahead of the patch releases.
UPDATE 9/13: Patches for a number of the issues below are now available: https://www.vaultwiki.org/articles/216/
UPDATE 9/24: Patches for VWE-2017-4004 are now available: https://www.vaultwiki.org/articles/218/
Partial Issue List
VWE-2017-3978
VWE-2017-3978 is a Remote Code Execution issue that requires a compromised DNS or a compromised remote server that VaultWiki is using as an import source. The issue affects VaultWiki 4.0.0 Beta 6 - 4.0.17, except lite versions. Versions 4.0.0 Beta 5 and earlier, as well as versions 4.0.18 and later, are not affected by this issue.
Workaround: Do not use the importer's $api_path configuration directive while running a vulnerable release.
VWE-2017-3979
VWE-2017-3979 is a Decompression Bomb issue, which can be exploited to create a Denial of Service condition. The issue affects all versions of VaultWiki 4.x, except lite versions.
The workaround involves temporarily disabling affected functions. For versions 4.0.14 and later, perform the following:
- Set Options > VaultWiki: Content Types > Maximum Disk Usage for All Attachments (MB) = 0. This will reject all new uploads.
- Set Options > VaultWiki: Miscellaneous > Maximum Disk Usage for All Proxy Images (MB) = 0. This will disable the external image proxy.
After a patch is available and applied, restore these settings to reactivate uploads and proxying.
There is no viable workaround for versions 4.0.13 and earlier. They are no longer supported; update to a more recent version and perform the steps above.
VWE-2017-4004 (update: 9/12)
VWE-2017-4004 is a minor Permissions Escalation issue in which a user may be able to upload an image with a single dimension exceeding their permissions, so long as the total area of the image fits within the permitted amount. This issue affects all versions of VaultWiki 4.x, except lite versions.
Most web software suffers from this issue and it is not generally considered a security issue. For example, the same is possible in standard XenForo or vBulletin; thus, it was also possible in VaultWiki 3.x versions.
If this issue concerns you, you can workaround the issue before a patch is available: go to Content > Attachments, and modify each image type so that the maximum allowed width and maximum allowed height are the same amount.
Notes
Depending on the length of the delay, we may update this notice with information on additional issues. Please keep an eye on this page for updates. When patches are available, we will post a new notice and link from here.
We apologize for the inconvenience that this delay will cause. However, we urge customers to follow the workaround steps outlined above to ensure their sites are secure in the interim.by Published on August 6, 2017 2:51 PM
As of August 6, 2017, the July 2017 security patches for currently supported versions of VaultWiki 4.x are available.
Issue List
VWE-2017-3857 is a Permissions Escalation involving custom user masks and custom moderator permissions, where "No" and "Never" values that were part of the mask did not take precedence over inherited "Yes" values. The issue affects several Patch Level releases of the VaultWiki 4.x series since 4.0.8, and all versions since 4.0.16.
VWE-2017-3858 is a Permissions Escalation involving an incorrect notification that setting all settings to "Not Set" for custom permissions, user masks, or moderator permissions was successful, even when the change could not be successfully saved. In this case, existing "Yes" values will still be in effect, even though the administrator believes that they have been revoked. The issue affects VaultWiki 4.0.12 and higher.
Patches
The following patches, issued August 6, 2017, address the aforementioned issues:
- 4.0.18 Patch Level 1
- 4.0.17 Patch Level 3
- 4.0.16 Patch Level 4
- 4.0.15 Patch Level 8
- 4.0.14 Patch Level 11
- 4.0.13 Patch Level 11
We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.by Published on August 6, 2017 12:18 PM
VaultWiki 4.0.19 is available as of August 6, 2017. This is primarily a maintenance release, including over 70 bug fixes and over 25 style tweaks.
Release Notes
The current release is VaultWiki 4.0.19, which should be usabled on vBulletin-based and XenForo-based production sites.by Published on June 1, 2017 2:37 PM
On May 30, 2017, we released VaultWiki 4.0.18. The release includes several new features, as well as over 80 bug fixes.
Form-Based Importer Configuration
In prior versions, importing content from other software into VaultWiki required editing a configuration file directly, and trusted the values that were entered to be correct. This was not user-friendly, and it was prone to errors, as users could easily overlook or misenter some values.
Starting with 4.0.18, users now configure the importer via web-based form inputs. Fields have user-friendly names and descriptions, so that it is clearer what information should be entered. Further, the information that is entered is now tested first to make sure the information is correct, before attempting an import.
In addition, the web-based configuration now allows for storage of multiple importer sessions, so administrators can continue a specific import later if needed.
Mass Search and Replace
The Admin Panel now offers a section called Mass Management Tools. This allows administrators to use search criteria to find and select large numbers of wiki pages to be deleted or edited. The provides a method for massive search-and-replace of undesired text, adding templates to multiple pages at once, and more.
Release Notes
The current release is VaultWiki 4.0.18, which should be usabled on vBulletin-based and XenForo-based production sites.by Published on May 16, 2017 11:35 AM
As of May 16, 2017, we have released the May security patches for currently supported versions of VaultWiki 4.x.
Issue List
VWE-2017-3733 is a Permissions Escalation issue involving wiki attachment permissions. Exploiting the issue usually requires collusion between the uploading user and the downloading users, in order to share files that are otherwise not allowed. The issue affects all versions of the VaultWiki 4.x series, expect Lite versions.
VWE-2017-3734 is primarily a Phishing issue, which makes it easier for users to insert links to external web sites that intend to steal the victim's login information; the issue involves a reduced likelihood that the victim would notice that they have navigated to a different web site. The issue affects all versions of the VaultWiki 3.x and 4.x series.
Patches
The following patches address the aforementioned issues:
- 4.0.17 Patch Level 2
- 4.0.16 Patch Level 3
- 4.0.15 Patch Level 7
- 4.0.14 Patch Level 10
- 4.0.13 Patch Level 10
- 4.0.12 Patch Level 11
- 4.0.11 Patch Level 11
We highly recommend that all users running VaultWiki in a production environment update to a patched release as soon as possible.by Published on March 30, 2017 5:13 PM
Today marks the availability of the March 2017 security patches for currently supported versions of VaultWiki 4.x, our first such regularly-scheduled release.
Issue List
VWE-2017-3677 is a Subscription Management Flaw that affects the following users who were created while VaultWiki was installed: (1) Users who registered while the VaultWiki add-on was disabled; and (2) Users who were imported into XenForo from another forum. Both sets of users were unable to change their default preferences regarding new wiki subscriptions. The issue affects all versions of the VaultWiki 4.x series.
VWE-2017-3679 is a Denial of Service Amplification issue involving specific syntax nesting combinations when using MediaWiki syntax support. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.
VWE-2017-3682 is a CAN-SPAM Non-compliance issue involving some wiki subscriptions that were imported into VaultWiki from another installation that was running VaultWiki 4.0.16 or higher. The affected subscriptions would never send valid unsubscribe links. The issue affects all versions of the VaultWiki 4.x series, except Lite versions; however, imports from Lite versions may also be affected. If your import was already affected, please follow the instructions in the issue disclosure.
VWE-2017-3683 is a Subscription Management Flaw that occurs when adding a comment to a wiki discussion. The user's default wiki subscription preference was taking precedence over the user's form selection. It was a regression of the fix for VWE-2017-3428. It affects VaultWiki 4.0.17 build 001 only.
VWE-2017-3684 is a Denial of Service Amplification issue in Synonyms management. It affects all versions of the VaultWiki 4.x series, except Lite versions.
VWE-2017-3686 is a Permissions Escalation issue involving users who were granted permission to delete wiki content but whose permissions also require moderation for new content and new edits. Certain changes by these users were being accepted before a moderator had a chance to review them. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.
VWE-2017-3687 is a CAN-SPAM Non-compliance issue involving email subscriptions imported into VaultWiki from another installation running the VaultWiki 4.x series. Unsubscribe links sent within the past 30 days were not honored. The issue affects all versions of the VaultWiki 4.x series, except Lite versions; however, imports from Lite versions may also be affected. If your import was already affected, please follow the instructions in the issue disclosure.
Patches
The following patches, released March 30, 2017, address the aforementioned issues:
- 4.0.17 Patch Level 1
- 4.0.16 Patch Level 2
- 4.0.15 Patch Level 6
- 4.0.14 Patch Level 9
- 4.0.13 Patch Level 9
- 4.0.12 Patch Level 10
- 4.0.11 Patch Level 10
- 4.0.10 Patch Level 11
We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.by Published on March 25, 2017 12:22 PM
On February 28, 2017, we released VaultWiki 4.0.17. The release contains several feature enhancements and over 100 bug fixes.
Create Content from Wiki Index
In previous versions of VaultWiki, it was necessary to drill down to a relevant wiki area to find a button for creating new wiki pages. In 4.0.17, these buttons are now also available on the wiki index page; users can select the target area from within the editor view.
Release Notes
The current release is VaultWiki 4.0.17, which should be usable on vBulletin-based and XenForo-based production sites.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
By continuing to use this site, you are consenting to our use of cookies.