VWE-2017-3979
Return to current revision
Differences in Content
-
[template]Vulnerability
| cve=
| aka=
| severity=High
| difficulty=Easy
| description=Decompression Bomb. Does not affect VaultWiki Lite.
| discover-date=Related issue: April 28, 2017
Proof of concept: August 9, 2017
| patch-date=
| patches=
| workaround=Patches are not ready yet.
-
-
Perform the following: -
+
For versions 4.0.14 and later, perform the following: -
[list=1][*]Set Options > VaultWiki: Content Types > Maximum Disk Usage for All Attachments (MB) = 0. This will reject all new uploads.
[*]Set Options > VaultWiki: Miscellaneous > Maximum Disk Usage for All Proxy Images (MB) = 0. This will disable the external image proxy.[/list] -
-
After applying a patch, restore these settings to reactivate uploads and proxying.[/template] -
+
After applying a patch, restore these settings to reactivate uploads and proxying.
There is no workaround for versions 4.0.13 and earlier. They are no longer supported; update to a more recent version and perform the steps above.[/template]