VaultWiki News

On March 20, 2020, we put forth another stable proposal for VaultWiki 4.1.x with Release Candidate 2. This release adds custom fields, a number of minor improvements, and about 50 bug fixes and style tweaks.

Custom Fields (XenForo 2.1 only)

RC 2 adds the ability to create custom form fields for wiki content, which can be defined in the admin panel, and configured to appear in a variety of locations, such as above the content, in a sidebar widget, or on a new tab.

When users edit wiki content, they can enter values for these fields, and the changes will be tracked in the page's history. Missing field values can be inherited from templates.

A more indepth discussion of custom fields can be found here.

Ratings

RC 2 reintroduces a feature that was once in the 3.x series, but has been missing ever since: the ability for users to rate wiki content from 1-5 stars. Ratings for pages are weighted; a rating for the current edit is considered more valuable than a rating made 5 edits ago. In this way, eventually ratings fade away, so users should be encouraged to rate and re-rate content frequently.

Ratings can be activated separately for each area, and the user must have permission to rate a given content-type.

Release Notes

VaultWiki 4.1.0 RC 2 is proposed as stable. We recommend that customers test it first, but it should be usable in a live environment if the custom deems those tests successful.

As of March 6, security patches for March 2020 are now available.

Issue List

VWE-2020-5603 is a Permissions escalation issue, where by leveraging nested templates, a user can alter the permissions of a containing template to that of a contained template. The issue affects 4.0.0 RC and higher, on vBulletin-based platforms only.

VWE-2020-5604 is a Denial of service issue, where by leveraging specially-crafted templates, a user can bypass template usage limits and create a situation where a page cannot finish parsing before server processes time out. The issue affects all versions of VaultWiki 2.x, 3.x, and 4.x series.

VWE-2020-5622 is a Permissions escalation issue, where moderators are able to action reports for index-related content they can't manage, as long as they have global management permissions. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.

VWE-2020-5623 is a Permissions escalation issue, where content lists might contain content from areas that the user does not have permission to view. The issue affected VaultWiki 4.1.0 RC 1 build 001 only.

VWE-2020-5631 is a Permissions escalation issue, where users can create feeds in areas that can't contain feeds. The issue affects VaultWiki 4.0.0 and higher.

VWE-2020-5636 is a Permissions escalation issue, where users can create content they don't have permission to create, as long as they attempt to create it as part of the same request that allowed them to create different content. The issue affects VaultWiki 4.0.0 Alpha 1 and higher.

Patches

The following patches address the aforementioned issues:

• 4.1.0 RC 1 Patch Level 1
• 4.0.28 Patch Level 1
• 4.0.27 Patch Level 4
• 4.0.26 Patch Level 6

Notes

We recommend that all users running VaultWiki in a production environment update to a patched release.

We are pleased to offer a stable proposal for VaultWiki 4.1.x with Release Candidate 1, which is now available for testing. This is the first release to include compatibility with the newest PHP 7.4. In ensuring that compatibility and preparing for stable proposal, we performed a deep scrub of the code in almost all 5000+ files to get it as clean as possible. As a result, this release includes over 170 bug fixes, in addition to the normal amount of style tweaks, and other changes.

Where to Focus

While RC 1 includes mostly bug fixes, some of those fixes involved some late changes that were rather significant. For example, we fixed a long-standing regression that appeared in 4.0.x, where adding pages to categories by embedding them in templates was no longer possible. In addition, we changed some of the underlying database structure for wiki discussions and comments.

Therefore it would be ideal that this round of testing focuses on categories (especially templated ones) and ensures that discussions still work as expected.

Resolved Security Issues

Since beta versions are not subject to the same patching policy as stable versions, the following issues are patched in this release of the 4.1.x branch, 4.1.0 RC 1:

• Issues covered in the January 2020 security update
• VWE-2020-5468, which is a Permissions escalation issue, under which comments on the index don't respect the index's parsing rules set forth in the Area Manager.

Release Notes

Sites running 4.1.x betas should upgrade to VaultWiki 4.1.0 RC 1 as soon as they are able in order to improve stability. VaultWiki 4.1.0 RC 1 is proposed as stable. We recommend that customers test it first, but it should be usable in a live environment if the customer deems those tests successful.

4.0.x Update

At the same time, the latest update in the 4.0.x branch, 4.0.28 is now available, which likewise adds support for PHP 7.4. Since 4.1.x is proposed as stable, this will be one of, if not the last, main update in the 4.0.x branch, aside from security updates. Customers may have already noticed that a number of bugs reported under 4.0.x were fixed in 4.1.x only. If users have not already done so, we recommend to begin making plans to migrate to the newer 4.1.x branch, when you deem it suitable, so you can continue to benefit from the broadest number of fixes and improvements moving forwards.

As of January 29, security patches for January 2020 are now available.

Issue List

VWE-2019-5452 is a Subscription Management issue, where using the admin option to delete all wiki subscriptions for a user may not delete any. The issue affects 4.0.17 and higher, on XenForo 1.x platforms only.

VWE-2019-5453 is a Permissions Escalation issue, where wiki social groups are visible to non-group-members via the WIDGET BB-Code, even though the social group is setup to only permit member viewing. The issue affects 4.0.9 and higher, as well as patches for VWE-2016-2064, on vBulletin platforms only.

VWE-2020-5454 is a Permissions Escalation issue, where meta descriptions and summary snippets of wiki pages may include privileged or user-specific content based on the user who generated the description, rather than the user who is currently viewing it. The issue affects 4.0.0 Alpha 1 and higher.

Patches

The following patches address the aforementioned issues:

• 4.0.27 Patch Level 3
• 4.0.26 Patch Level 5
• 4.0.25 Patch Level 7*

* A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.

4.1.x Issues

Since beta versions are not subject to the same patching policy as stable versions, the following issues will be patched in a future release of the 4.1.x branch, in addition to any relevant issues listed above.

VWE-2019-5463 is a Denial of Service Amplification issue, where content updates that affect a large number of feeds may take an infinite number of deferred requests to apply those updates. Until a patch is available, you may wish to use permissions to prevent non-admin users from adding entries to feeds.

Notes

We recommend that all users running VaultWiki in a production environment update to a patched release.

As of November 15, the security patches for November 2019 are now available.

Issue List

VWE-2019-5425 is a Permissions escalation, where users can view the output of embedded templates that were soft-deleted or rejected, even if they don't have staff permissions, as long as the page where the template was embedded was cached when viewed by another user who had the appropriate permission. The issue affects all versions of the VaultWiki 4.x series.

Patches

The following patches address the aforementioned issues:

• 4.0.27 Patch Level 2
• 4.0.26 Patch Level 4
• 4.0.25 Patch Level 6

4.1.x Issues

Since beta versions are not subject to the same patching policy as stable versions, the issue listed above is patched in a new build in the 4.1.x branch, 4.1.0 Beta 4 build 005. In addition, the following issue is known to have affected a prior build. To stay protected, please make sure you are running the latest build of the beta.

VWE-2019-5416 is a Permissions escalation, where wiki page contents are rendered using the viewing user's parser-related permissions for wiki comments that they post, rather than the appropriate parser-related area settings for wiki pages. The issue affects early downloads of 4.1.0 Beta 4 build 001 only, and only on vBulletin 4.x platforms. Users already running a later build or using VaultWiki on a different platform are not affected by this issue.

Notes

We recommend that all users running VaultWiki in a production environment update to a patched release as soon as they are able.

VaultWiki 4.1.0 Beta 4 is now available for download. This is primarily a maintenance release, containing at least 60 fixes and tweaks.

For a list of changes in this release, please see Changelog for 4.1.0 Beta 4. If you are a style or language pack maintainer, please check here for changes which may affect you.

State of the Beta

As some people may be aware, we originally intended to only have 3 beta releases for 4.1.x; however, due to last month's down time, we released an unpolished and unannounced Beta 3 beforehand in order to tide folks over.

But as the number of unresolved issues in the bug tracker approaches that of typical stable releases, and with only 1 more planned feature to roll out in 4.1.x, we fully expect that the next release will be proposed as stable -- that is, a Release Candidate.

Release Notes

Sites running 4.1.x Betas should upgrade to VaultWiki 4.1.0 Beta 4 as soon as they are able in order to improve stability. VaultWiki 4.1.0 Beta 4 is beta software. We recommend that beta software only be used in a test environment.