The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name PCRE Backtrack Vulnerability VWE-ID VWE-2015-1112 Related Report None Severity HIGH Exploit Difficulty Difficult Platform Affects all platforms supported by the vulnerable versions. Description Javascript injection.
Discovered February 19, 2015 Resolved April 13, 2015 Patches Available 4.0.3 Workaround
- Learn what your PHP installation's configuration value is for pcre.backtrack_limit. This might appear in your php.ini file. If this does not appear in that file, the default value is as follows:
- For PHP 5.3.8 and higher: the value is 1,000,000
- For PHP 5.3.7 and lower: the value is 100,000
- Check the following VaultWiki settings:
- VaultWiki: Content Types > Maximum Characters in Page Content
- VaultWiki: Content Types > Maximum Characters in Discussion Comments
- Make sure that the values of each setting is set to a lower amount than your pcre.backtrack_limit. If one of the settings is higher, you should lower it to maintain the security of your installation, or increase pcre.backtrack_limit to a value higher than each setting.
- Check your Special:LongPages page for existing pages that are longer than pcre.backtrack_limit.
- These pages remain a vector for attack while they are longer than this limit. You must shorten these pages.
Sub-Categories of VWE-2015-1112
-
#
-
# (cont.)
-
# (cont.)