VaultWiki News

Today marks the availability of the March 2017 security patches for currently supported versions of VaultWiki 4.x, our first such regularly-scheduled release.

Issue List

VWE-2017-3677 is a Subscription Management Flaw that affects the following users who were created while VaultWiki was installed: (1) Users who registered while the VaultWiki add-on was disabled; and (2) Users who were imported into XenForo from another forum. Both sets of users were unable to change their default preferences regarding new wiki subscriptions. The issue affects all versions of the VaultWiki 4.x series.

VWE-2017-3679 is a Denial of Service Amplification issue involving specific syntax nesting combinations when using MediaWiki syntax support. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2017-3682 is a CAN-SPAM Non-compliance issue involving some wiki subscriptions that were imported into VaultWiki from another installation that was running VaultWiki 4.0.16 or higher. The affected subscriptions would never send valid unsubscribe links. The issue affects all versions of the VaultWiki 4.x series, except Lite versions; however, imports from Lite versions may also be affected. If your import was already affected, please follow the instructions in the issue disclosure.

VWE-2017-3683 is a Subscription Management Flaw that occurs when adding a comment to a wiki discussion. The user's default wiki subscription preference was taking precedence over the user's form selection. It was a regression of the fix for VWE-2017-3428. It affects VaultWiki 4.0.17 build 001 only.

VWE-2017-3684 is a Denial of Service Amplification issue in Synonyms management. It affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2017-3686 is a Permissions Escalation issue involving users who were granted permission to delete wiki content but whose permissions also require moderation for new content and new edits. Certain changes by these users were being accepted before a moderator had a chance to review them. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2017-3687 is a CAN-SPAM Non-compliance issue involving email subscriptions imported into VaultWiki from another installation running the VaultWiki 4.x series. Unsubscribe links sent within the past 30 days were not honored. The issue affects all versions of the VaultWiki 4.x series, except Lite versions; however, imports from Lite versions may also be affected. If your import was already affected, please follow the instructions in the issue disclosure.

Patches

The following patches, released March 30, 2017, address the aforementioned issues:

• 4.0.17 Patch Level 1
• 4.0.16 Patch Level 2
• 4.0.15 Patch Level 6
• 4.0.14 Patch Level 9
• 4.0.13 Patch Level 9
• 4.0.12 Patch Level 10
• 4.0.11 Patch Level 10
• 4.0.10 Patch Level 11

We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.

On February 28, 2017, we released VaultWiki 4.0.17. The release contains several feature enhancements and over 100 bug fixes.

Create Content from Wiki Index

In previous versions of VaultWiki, it was necessary to drill down to a relevant wiki area to find a button for creating new wiki pages. In 4.0.17, these buttons are now also available on the wiki index page; users can select the target area from within the editor view.

Release Notes

The current release is VaultWiki 4.0.17, which should be usable on vBulletin-based and XenForo-based production sites.

Since the release of 4.0.16 last month, we have uncovered a handful of security issues while making improvements to related features.

Note: This notice discusses patches that were released on February 17, 2017. If you have upgraded or installed since that date, you do not need to take any action.

Issue List

VWE-2017-3388 is a CAN-SPAM Non-compliance issue that affects wiki moderator notifications. It affects all prior versions of the VaultWiki 4.x series.

VWE-2017-3396 is a Subscription Management Flaw that affects a user's ability to manage feed subscriptions via the user's list of wiki subscriptions. It affects VaultWiki 4.0.0 and higher.

VWE-2017-3407 is a Subscription Management Flaw that affects a user's ability to manage subscriptions for certain content, where an administrator has revoked their access to that content since they subscribed. It affects all versions of the VaultWiki 4.x series.

VWE-2017-3415 is a CAN-SPAM Non-compliance issue involving threads that have been moved into the wiki. Unsubscribe links issued within the past 30 days while the content was still a thread are non-functional after the content was moved, yet the user is still subscribed at the new location. Patched versions prevent newly moved threads from having their subscriptions also moved; users will need to re-subscribe. This issue affects VaultWiki 4.0.16.

VWE-2017-3428 is a Subscription Management Flaw that affects a user's ability to prevent their default subscription preference while posting new wiki comments. It affects all versions of the VaultWiki 4.x series.

VWE-2017-3436 is a CAN-SPAM Non-compliance issue involving failure to parse some otherwise valid unsubscribe links. It affects VaultWiki 4.0.16.

VWE-2017-3437 is a Denial-of-Service Amplification issue involving thumbnail requests. It affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2017-3445 is a Denial of Service issue that can cause specified wiki pages to no longer have new edits successfully applied. It affects VaultWiki 4.0.0 and higher.

Patches

The following patches, released February 17, 2017, address the aforementioned issues:

• 4.0.16 Patch Level 1
• 4.0.15 Patch Level 5
• 4.0.14 Patch Level 8
• 4.0.13 Patch Level 8
• 4.0.12 Patch Level 9
• 4.0.11 Patch Level 9
• 4.0.10 Patch Level 10
• 4.0.9 Patch Level 10

We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.

Policy Updates

Prior to this notice, it was customary for us to give each vulnerability a unique name, such as File Blueprint Vulnerability. However, as our database has grown, it has become difficult to continue selecting names with any sort of meaning. Additionally, whenever review of certain issues was necessary later, it was difficult to do based on the name alone. Thus, we have converted our vulnerability database to use IDs that are more meaningful to our internal tracking systems.

While previously it was customary to issue a Patch Level release immediately -- within 1 to 2 days of a security issue being fixed internally -- in many cases, this has made it difficult for users to keep up with patches as they become available, has resulted in rapid growth of our database as older patches become superceded, and has caused many development hours to be lost to frequent patch issuance procedures. In December 2015, the License Agreement established that up to 30 days was permitted between an issue's discovery and a patch; thus, beginning with this most recent set of patches, we will beginning limiting patches to one (1) per calendar month, except as required to satisfy the 30-day rule or to mitigate an actively exploited issue.

On January 8, 2017, we released VaultWiki 4.0.16. This release contains several feature enhancements and over 200 bug fixes.

Compatibility with PHP 7.1.x

VaultWiki 4.0.16 is the first VaultWiki release that is deemed compatible with the latest public branch of PHP, 7.1.x.

Convert Threads to Wiki Pages [beta]

This release reintroduces, in part, the VaultWiki 3.x ability to move forum threads into the wiki, thereafter treating them as wiki pages.

At the current time, this feature should be considered "beta". It is incomplete, and thus, may only achieve desired results on certain threads.

At the current time, the following information about a thread is moved/converted:

• Thread title, first post content, and open/closed state
• Post edit history of the first post
• Attachments to the first post become wiki attachments
• Thread replies become comments
• Attachments to thread replies

This is a moderator-level feature that uses the forum's existing permissions for threads. You can find the option to perform this function among the standard inline moderation controls in the forum's thread list, or among the thread's management tools when viewing a thread.

Closing Discussions

With 4.0.16, it is now possible to close discussions and prevent further comments. This can be done on an individual basis per discussion or at the page level to prevent all discussion on that page.

Tabs for More Content-Types

It is now easier to manage synonyms for Feeds and Special Pages; nodes of these types now provide a Synonyms tab.

It is now easier to rename Special Pages; they now provide an Edit tab. The tab also allows Special Pages to use a different prefix than the default Special prefix and to set custom page icons.

Improved Usage Lists

Previously, if a page had a high number of categories, feeds, or translations, only a handful were ever displayed to visitors, while the rest were cut off. Now, a "More..." link is provided, which directs the user to a paginated list of all categories, feeds, or translations, respectively.

Paginated lists have also been implemented in templates and attachments, for Pages Using This Resource. For templates, the list will display a notice above pages that were last edited prior to the template's last edit. In this way, if there were major changes to the template, it is easier to determine which pages may need to be updated.

Release Notes

The current release is VaultWiki 4.0.16, which should be usable on vBulletin-based and XenForo-based production sites.

Since the release of version 4.0.15 last month, our developers have uncovered 5 security-related issues while making various performance improvements for the next release.

The Social Butterfly Vulnerability allows for unauthorized viewing and editing of some wiki pages that are assigned to Social Groups in vBulletin. It affects all prior vBulletin-based versions of VaultWiki 4.x, except Lite versions. It does not affect XenForo.

The Eavesdropper Vulnerability allows for unauthorized viewing of some content that moderators have not approved for public view. It affects all prior versions of VaultWiki 4.x, except Lite versions.

The Opt-Block Vulnerability is a flaw in the email notifications system that results in invalid unsubscription links in emails. This can be considered non-compliance with laws regarding bulk commercial emails and result in emails being flagged as SPAM or, over time, the email server being blacklisted. This issue affects all prior versions of VaultWiki 4.x, including Lite versions. Patches allow invalid links that were already sent to work with additional user input for validation.

An Unconfirmed Vulnerability is a flaw in the email notifications system that sends emails to some users whose email addresses have not been verified. Over time, this can result in the email server being considered for blacklisting. This issue affects all prior versions of VaultWiki 4.x, including Lite versions.

The Restricted Area Vulnerability is a flaw in permissions combination that can result in some customized permissions not being properly revoked. This might allow unauthorized viewing, editing, or other changes to wiki content. This issue affects all VaultWiki 4.0.0 Alpha 6 and higher, except Lite versions.

As of December 22, 2016, the following patches address all five issues:

• 4.0.15 Patch Level 3
• 4.0.14 Patch Level 6
• 4.0.13 Patch Level 6
• 4.0.12 Patch Level 7
• 4.0.11 Patch Level 7
• 4.0.10 Patch Level 8
• 4.0.9 Patch Level 8
• 4.0.8 Patch Level 10

Additional Instructions: After applying one of these patches:

1. Go to the Wiki Admin Panel > Permissions > Usergroups.
2. Edit the Administrators group.
3. Change "Index Permissions" > "Can view the wiki Index?" to a different value.
4. Save.
5. Edit the Administrators group again.
6. Change "Index Permissions" > "Can view the wiki Index?" back to the previous value.
7. Save.

This will remove cached permissions that might have been stored in a vulnerable state from your site's cache.

We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.

As of November 8, 2016, VaultWiki 4.0.15 was released to license holders. This version includes some minor feature enhancements, performance improvements, and over 90 bug fixes.

4K Support

VaultWiki 4.0.15 is the first version to contain built-in support for high-density displays, such as 4K monitors and retina devices. Both the wiki's attachment system as well as its image proxy will now automatically generate thumbnails for these devices, if enabled, and will serve the appropriate version for each device.

Removal of Some Hard Limits

In earlier versions, there were various issues when an individual page appeared in over 200 categories, had over 200 translations, or reached similar limits in other features. As of 4.0.15, the maximum supported number of categories and translations per page is now effectively unlimited.

However, while some improvements were made to books, limitations are still in effect regarding maximum supported book chapters. This will be addressed in a future release.

Release Notes

The current release is VaultWiki 4.0.15, which should be usable on vBulletin-based and XenForo-based production sites.