VaultWiki News

As of March 16, 2018, the regularly scheduled security patches for March are now available.

Issue List

VWE-2018-4394 is a Permissions Escalation issue, in which users may be able to create certain wiki page-types without permission, as long as the user has permission to create normal pages. The issue affects all previous versions of the VaultWiki 4.x series, but does not affect Lite versions.

VWE-2018-4471 is a Race Condition issue, in which it is possible to run the same deferred task multiple times, leading to data de-synchronization, superfluous emails to users, and/or other problems which may occur in third-party tasks. The issue affects VaultWiki 4.0.0 Beta 6 and higher.

VWE-2018-4485 is a Permissions Escalation issue, where users may be able to view the titles of content in a Similar Content block, without permission to view that content, by leveraging the WIDGET BB-Code. It occurs in patches for VWE-2017-4318 and later versions, but does not affect the Lite version.

Patches

The following patches, issued March 16, 2018, address the aforementioned issues:

• 4.0.21 Patch Level 1
• 4.0.20 Patch Level 4
• 4.0.19 Patch Level 7
• 4.0.18 Patch Level 8
• 4.0.17 Patch Level 10*

*A patch was issued for 4.0.17 even though it reached its end of life earlier this March, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.

We highly recommend that all users running VaultWiki in a production environment update to a patched release.

As of February 14, 2018, we were pleased to release VaultWiki 4.0.21, now available for our licensed customers to download. This is primarily a maintenance release, containing over 80 bug fixes, style tweaks, and other minor improvements.

For a list of changes in this release, please see the Changelog for 4.0.21. If you are a style or language pack maintainer, please check here for changes which may affect you.

Release Notes

The current release is VaultWiki 4.0.21, which should be usable on vBulletin-based and XenForo-based production sites.

As of February 9, 2018, the regularly scheduled security patches for February are now available.

Issue List

VWE-2018-4336 is a Permissions Escalation issue in environments using a theoretical third-party add-on or custom BB-Code, in which it may be possible to parse unprivileged legacy wiki syntax within a privileged context. In vBulletin, the issue affects all versions of VaultWiki 2.x starting from 2.2.0, and all versions of the 3.x and 4.x series. In XenForo, the issue affects all versions of VaultWiki prior to 4.0.7 that were not already patched for VWE-2015-1601. Lite versions are not affected.

VWE-2018-4337 is a Denial of Service issue, in which an unprivileged user may be able to prevent future edits, comments, and/or other changes to desired wiki pages by abusing the personal feed system. The issue affects VaultWiki 4.0.0 and higher.

VWE-2018-4345 is a Denial of Service issue, in which a limitation added by the patch for VWE-2017-4266 is not enforced. However, due to a bug in the previous patch, denial of service is only possible to achieve via theoretical third-party add-ons which fix the bug.

VWE-2018-4346 is a Denial of Service and Amplification issue, in which the image proxy cache may enter a state where it constantly reprimes, or in which large numbers of cache images may be corrupted. The issue affects VaultWiki 4.0.1 and higher, except Lite versions.

VWE-2018-4347 is a Denial of Service Amplification issue, in which blocking may occur during CSS processing when the patch for VWE-2017-4266 is not applied, or if a theoretical third-party add-on fixes the bug introduced by that patch; in such cases, a well-timed, distributed attack may be able to achieve site-wide denial of service. The issue exists in VaultWiki 4.0.19 and higher.

VWE-2018-4348 is a Permissions Escalation issue, in which a theoretical third-party add-on can be leveraged to indirectly modify different wiki content than the add-on is designed to modify. The issue exists in all versions of the VaultWiki 4.x series.

VWE-2018-4350 is a Permissions Escalation issue, in which a user without permission to remove synonyms from a wiki page may be able to remove those synonyms indirectly by removing a specific, otherwise unrelated, wiki page that the user does have permission to remove. The issue exists in VaultWiki 4.0.16 and higher.

VWE-2018-4352 is a Denial of Service issue, in which an unprivileged user may be able to make certain wiki pages "disappear" via moderated edits, rollbacks, and some other actions. The issue affects all VaultWiki 2.2.3 variants, and all versions of the 4.x series.

VWE-2018-4356 is a Denial of Service issue, in which moderators may be prevented from deleting undesirable wiki content, due to abuse of that content's child content and other relations. The issue affects all versions of VaultWiki 4.x series. Note, however, that default installations of vBulletin and XenForo 1.x without VaultWiki share similar problems, but those developers do not address it as a security issue.

Patches

The following patches, issued February 8, 2018, address the aforementioned issues:

• 4.0.20 Patch Level 3
• 4.0.19 Patch Level 6
• 4.0.18 Patch Level 7
• 4.0.17 Patch Level 9

We highly recommend that all users running VaultWiki in a production environment update to a patched release.

As of January 10, 2018, the regularly scheduled security patches for January are now available.

Issue List

VWE-2017-4317 is a Permissions escalation issue, in which users may be able to see some thread titles in output from the WIDGET BB-Code, even though the users may otherwise not be allowed to view those same threads. The issue affects VaultWiki 4.0.0 RC 3 and later, except Lite versions, on XenForo-based forums only.

VWE-2017-4318 is a Permissions escalation issue, in which users may be able to see some cache contents of output from the WIDGET BB-Code, even though the users may otherwise not be allowed to view the same contents. The issue affects VaultWiki 4.0.0 RC 3 and later, except Lite versions.

VWE-2017-4319 is a Permissions escalation issue, in which users may be able to see some cache contents of the Similar Content sidebar block, even though the users may otherwise not be allowed to view the same contents. The issue affects all versions of VaultWiki 4.x series, except Lite versions.

VWE-2017-4320 is a Permissions escalation issue, in which users may be able to circumvent certain limitations that are enforced on wiki books. If the escalation is performed enough times on a single book, a Denial of Service condition can be created on pages that reference the book. The issue affects VaultWiki 4.0.4 and later, except Lite versions.

VWE-2017-4325 is a Permissions escalation issue, in which users may be able to see wiki page titles in Find New Wiki Updates, even though the users may otherwise not be allowed to view the same wiki pages. The issue affects VaultWiki 4.0.4 and later, on XenForo-based forums only.

VWE-2017-4326 is a design flaw that could lead to Permissions escalation or Data Loss in third-party add-ons that rely on VaultWiki's vw_Fetch_Controller::get_by_route function. The issue affects VaultWiki 4.0.16 and later.

Patches

The following patches, issued January 10, 2018, address the aforementioned issues:

• 4.0.20 Patch Level 2
• 4.0.19 Patch Level 5
• 4.0.18 Patch Level 6
• 4.0.17 Patch Level 8
• 4.0.16 Patch Level 9*

* A patch was issued for 4.0.16 even though it reached its end of life earlier this January, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.

We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.

As of December 1, 2017, the regularly scheduled security patches for December are now available.

Issue List

VWE-2017-4265 is a Permissions escalation issue, in which users can replace an expired proxy image with a different image by editing different content than the content that contains the proxy image. This issue affects VaultWiki 4.0.1 and higher, except Lite versions.

VWE-2017-4266 is a Denial of Service issue, in which a malicious user can balloon the size of the CSS cache at will. This issue affects VaultWiki 4.0.0 Gamma 7 and higher.

• We detected a similar issue in XenForo 1.x and 2.x and reported the issue to XenForo's developers. The corresponding issue is fixed in XenForo 1.5.16 and 2.0.0, respectively.

VWE-2017-4267 is an Accidental Permissions escalation issue, in which an administrator might be misled by incorrect values in the "Not Set" column while customizing usergroup permissions for a specific area. This issue affects VaultWiki 4.0.12 and higher on XenForo only, but it does not affect VaultWiki Lite.

VWE-2017-4275 is a Legal issue, in which IPTC segments of some PNG files might not be successfully parsed but the PNG file is accepted anyway. Some countries require web sites to preserve IPTC metadata. This issue affects recent patches of VaultWiki 4.x which added support for IPTC metadata, but it does not affect VaultWiki Lite.

VWE-2017-4282 is an Information Disclosure issue, in which attackers may be notified that they have filled available attachment space rather than receiving a generic error. Information Disclosures are treated as security issues starting with VaultWiki 4.0.19; this issue appears in 4.0.19 and higher. This issue does not affect Lite versions.

VWE-2017-4287 is a Denial of Service issue, in which users with certain permissions may be able to replace certain forum nodes with fatal errors, due to a flaw in the integration system. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

Patches

The following patches, issued December 1, 2017, address the aforementioned issues:

• 4.0.20 Patch Level 1
• 4.0.19 Patch Level 4
• 4.0.18 Patch Level 5
• 4.0.17 Patch Level 7
• 4.0.16 Patch Level 8
• 4.0.15 Patch Level 12*

* A patch was issued for 4.0.15 even though it reached its end-of-life in November, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend users upgrade to a more recent patched version.

We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.

Addendum: vBulletin Security Issues

The following issues exist in vBulletin itself, reported by us to vBulletin support over 60 days ago. Since vBulletin has not patched or disclosed the issues since that time, we now do so here:

1. An image decompression bomb vulnerability exists when vBulletin Options > Message Attachment Options > Resize Images = Yes. Disable it to protect your site.
2. An image decompression bomb vulnerability exists when allowing user uploads for avatars and profile pictures. To protect your site, change your forum's permissions so that users cannot upload custom avatars or profile pics.
3. An image decompression bomb vulnerability exists when using ImageMagick for images and allowing uploads. Currently known issues are for PDFs and TIFFs; however, because the filename of the incoming upload is not trustworthy, removing entries from the Attachment Manager or changing Attachment Permissions are not viable options. The following mitigation options exist:
   
   • Change vBulletin Options > Image Settings > Image Processing Library = GD, OR
   • Change your forum's permissions so that no users can upload anything.

As of October 17, 2017, VaultWiki 4.0.20 is available for download. The release includes a handful of new features, over 50 bug fixes, and other changes and tweaks. See the changelog for a complete list.

Protection Changes for Books, Categories, and Other Containers

In previous releases, the ability to add and remove other pages as children of a book, category, or other container was limited based on the protection applied to the container itself. However, in some cases, it was desirable to protect a book against edits, but still let users add new chapters under it.

VaultWiki 4.0.20 adds a new toggle which allows for this distinction when protecting container-type nodes. You can now protect against edits, while still allowing new chapters; you can protect against new chapters, while still allowing new edits; or you can protect against both, per the previous behavior.

Release Notes

The current release is VaultWiki 4.0.20, which should be usabled on vBulletin-based and XenForo-based production sites.