VaultWiki News

As of July 14, 2019, VaultWiki 4.1.0 Beta 2 is now available. This release expands XenForo 2.1 support, adds some new features, and contains about 50 fixes and tweaks.

Custom Permissions for Individual Wiki Content

In Beta 2, the Protect tab has been expanded with a "Custom Rules" section, which allows content managers to tweak the permissions of specific users for that content.

For example, if you manage a wiki page that your friend does not have permission to edit, you can grant that permission to your friend.

Alternatively, if you manage a wiki page and there are specific users who have made bad contributions, you can revoke their editing capabilities for that page.

Similar options are available for feeds and who can add entries, as well as for discussions and who can reply.

XenForo 2.x Spam Cleaning

Beta 2 integrates with XenForo 2's Spam Cleaner. Now, when moderators opt to remove all content posted by spam users, wiki content will be included in that operation.

Resolved Security Issues

Since beta versions are not subject to the same patching policy as stable versions, the following issues are patched in this release of the 4.1.x branch, 4.1.0 Beta 2, in addition to any relevant issues that were already patched on the stable branch.

VWE-2019-5280 is a Subscription Management issue, where users may receive push notifications about wiki content, even though they have opted out of those notifications, as long as they are opted in to the corresponding alerts. The issue affected 4.1.0 Alpha 2 and higher, on XenForo 2.1 and higher.

Release Notes

Sites running 4.1.x Betas should upgrade to VaultWiki 4.1.0 Beta 2 as soon as they are able in order to improve stability. VaultWiki 4.1.0 Beta 2 is beta software. We recommend that beta software only be used in a test environment.

VaultWiki 4.0.27 is now available to customers with an active license. This is a maintenance release, containing about 5 bug fixes and style tweaks.

For a list of changes in this release, please see Changelog for 4.0.27. If you are a style or language pack maintainer, please check here for changes which may affect you.

Release Notes

The current release is 4.0.27, which should be usable on vBulletin-based and XenForo-based production sites.

As of July 12, the security patches for July 2019 are now available.

Issue List

VWE-2019-5275 is a Permissions Escalation issue, by which using template parameters in alternate parser types, such as plain-text, makes it possible to render content using settings from the wrong area. The issue affects VaultWiki 4.0.7 and higher, as well as patches for VWE-2015-1601. It only affects XenForo-based platforms.

Patches

As of July 12, 2019, the following patched address the aforementioned issue:

• 4.0.26 Patch Level 2
• 4.0.25 Patch Level 4
• 4.0.24 Patch Level 6

4.1.x Issues

Since beta versions are not subject to the same patching policy as stable versions, the following issues will be patched in the next release of the 4.1.x branch, 4.1.0 Beta 2, in addition to any relevant issues listed above.

VWE-2019-5280 is a Subscription Management issue, where users may receive push notifications about wiki content, even though they have opted out of those notifications, as long as they are opted in to the corresponding alerts. The issue affects 4.1.0 Alpha 2 and higher, on XenForo 2.1 or higher.

Notes

We recommend that all users running VaultWiki in a XenForo-based production environment updated to a patched release.

As of June 7, the security patches for June 2019 are now available.

Issue List

VWE-2019-5193 is an HTML/Javascript injection issue, where by leveraging XHR requests, users may be able to embed new HTML in the requested page or save content that is rendered as HTML, without appropriate permission. It affects 4.0.0 Gamma 6 and higher.

VWE-2019-5261 is a Subscription Management issue, where imported subscriptions don't flag the correct user as having active subscriptions. While subscriptions are disabled globally, those users could be unable to manage their imported subscriptions if they don't have non-imported subscriptions too. It affects 4.0.0 Gamma 7 and higher.

Patches

As of June 7, 2019, the following patches address the aforementioned issues:

• 4.0.26 Patch Level 1
• 4.0.25 Patch Level 3
• 4.0.24 Patch Level 5
• 4.0.23 Patch Level 7*

* A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.

4.1.x Issues

Since beta versions are not subject to the same patching policy as stable versions, the following issues are patched in a new build of the current 4.1.x branch version, 4.1.0 Beta 1, in addition to any relevant issues listed above.

VWE-2019-5241 is a Permissions Escalation issue, where users can view the output of certain sidebar-type WIDGET BB-Codes without permission, as long as they have permission to view output of a specific other sidebar-type widget, which varies from case to case. The issue affects XenForo 2.x only.

VWE-2019-5244 is a Denial of Service issue, where by exploiting a bug while renaming content, malicious users can disappear pages completely. The issue affects XenForo 2.x only.

VWE-2019-5266 is a Permissions Escalation issue, by which a user can use specially crafted BB-Codes and template parameters to circumvent area parser settings. The issue affects XenForo 2.x only.

VWE-2019-5268 is a Subscription Management issue, where user requests to mass disable all email notifications for wiki subscriptions or to empty entire wiki subscription folders will not completely successfully.

Notes

We recommend that all users running VaultWiki in a production environment update to a patched release.

As the number of critical issues begins to dwindle, VaultWiki 4.1.x's alpha phase comes to a close. VaultWiki 4.1.0 Beta 1 is now available. This release expands XenForo 2.1 support with bookmarking and contains about 60 fixes and tweaks.

For a list of changes in this release, please see Changelog for 4.1.0 Beta 1. If you are a style or language pack maintainer, please check here for changes which may affect you.

Resolved Security Issues

Since alpha and beta versions are not subject to the same patching policy as stable versions, the following issues are patched in this release of the 4.1.x branch version, 4.1.0 Beta 1, in addition to any relevant issues that were already patched on the stable branch.

VWE-2019-5150 is a Permissions Escalation, where users can post new wiki content regardless of permissions, as long as the user can create normal wiki pages and he knows the proper editor URL for the desired content-type.

VWE-2019-5151 is a Subscription Management issue, where the page that lists all of a user's subscriptions and the page containing the user's wiki subscription preferences do not successfully render. The issue affects vBulletin only.

VWE-2019-5157 is a Permissions Escalation issue, where users can view the index's feed list even if they are not permitted to view the index.

VWE-2019-5159 is a Permissions Escalation issue, where users can view index-scoped widgets via the sidebar-type WIDGET BB-Code, as long as they have global permissions to view the same widget.

VWE-2019-5160 is a Permissions Escalation issue, where users can create, open, or close discussion topics on the index, as long as they have global permissions to perform the action.

VWE-2019-5161 is a Permissions Escalation issue, where users can view moderated attachments on index comments, as long as they have global permissions to view moderated attachments. The issue affects vBulletin 4.x only.

VWE-2019-5162 is a Permissions Escalation issue, where users can view a poster's IP address for discussions, comments, edits, and last-updates related to the index, as long as they have global permissions to view IP addresses.

VWE-2019-5163 is a Permissions Escalation issue, where users can view moderated discussions, comments, and edits related to the index, as long as they have global permissions to view the same.

Release Notes

Sites running 4.1.x Alphas should upgrade to VaultWiki 4.1.0 Beta 1 as soon as they are able in order to improve stability. VaulWiki 4.1.0 Beta 1 is beta software. We recommend that beta software only be used in a test environment.

As of today, May 2, the security patches for May 2019 are now available.

Issue List

VWE-2018-4972, which was a Permissions Escalation previously patched for vBulletin 3.x, where a user was able to use smilies in wiki content without permission, was discovered to additionally affect vBulletin versions 4.0.0 Alpha 1 - 4.0.12.

VWE-2019-5171 is an Information Disclosure, by which internal requests to a third-party server, such as for image proxy, may reveal the VaultWiki version number to the foreign server.

VWE-2019-5172 is an Information Disclosure, by which the VaultWiki version number is revealed in CSS output.

VWE-2019-5181 is a Permissions Escalation issue, where a user can view the current edit of a page even though the user does not have permission to view the page.

VWE-2019-5188 is a Permissions Escalation issue, where a user can view template output even though the user doesn't have permission to view the template.

VWE-2019-5189 is a Permissions Escalation issue, where a user can inject any page as though it were a template.

Patches

As of May 2, 2019, the following patches address the aforementioned issues:

• 4.0.25 Patch Level 2
• 4.0.24 Patch Level 4
• 4.0.23 Patch Level 6
• 4.0.22 Patch Level 8*

* A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.

We recommend that all users running VaultWiki in a production environment update to a patched release.