As of October 17, 2017, VaultWiki 4.0.20 is available for download. The release includes a handful of new features, over 50 bug fixes, and other changes and tweaks. See the changelog for a complete list.

Protection Changes for Books, Categories, and Other Containers

In previous releases, the ability to add and remove other pages as children of a book, category, or other container was limited based on the protection applied to the container itself. However, in some cases, it was desirable to protect a book against edits, but still let users add new chapters under it.

VaultWiki 4.0.20 adds a new toggle which allows for this distinction when protecting container-type nodes. You can now protect against edits, while still allowing new chapters; you can protect against new chapters, while still allowing new edits; or you can protect against both, per the previous behavior.

Release Notes

The current release is VaultWiki 4.0.20, which should be usabled on vBulletin-based and XenForo-based production sites.

As of October 15, the regularly scheduled security patches for October are now available.

Issue List

VWE-2017-4131 is a Denial of Service amplification issue which might be triggered in the processing of some JPEG files. The issue affects the September 2017 patches.

VWE-2017-4138 is a CAN-SPAM Compliance issue, involving a potential conflict with third-party XenForo add-ons, in which add-ons that provide email templates without defining plain-text variants might be sent with blank body contents. The issue affects the September 2017 patches; however, add-ons that were affected by this issue should still be updated to include plain-text variants in order to ensure maximum compatibility with clients.

VWE-2017-4152 is a CAN-SPAM Compliance issue, in which the unsubscribe links in some wiki email notifications are not routed correctly. The issue affects some emails sent by VaultWiki 4.0.16 and higher.

VWE-2017-4153 is a CAN-SPAM Compliance issue, in which subscriptions with corrupt compliance information may generate emails anyway. The issue affects corrupt data in all versions of the VaultWiki 4.x series.

Patches

The following patches, issued October 15, 2017, address the aforementioned issues:

• 4.0.19 Patch Level 3
• 4.0.18 Patch Level 4
• 4.0.17 Patch Level 6
• 4.0.16 Patch Level 7
• 4.0.15 Patch Level 11

We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.

As of September 24, 2017, the September security patches, which were previously delayed, are now up-to-date. We had previously released patches for a number of issues while noting other issues that remained unpatched. The newest patches, issued today, correct the remaining issues, as well as some additional issues.

Issue List

VWE-2017-4004 is a minor Permissions Escalation issue (previously disclosed), in which a user may be able to upload an image with a single dimension exceeding their permissions, so long as the total area of the image can be arranged to fit within the permitted amount. This issue affects all versions of VaultWiki 4.x, except Lite versions.

VWE-2017-4012 is a CAN-SPAM Compliance issue, in which automatic notifications sent by an importer might be sent with compliance information not filled in. The issue affects a number of patches since VaultWiki 4.0.10, VaultWiki 4.0.18 and newer, except Lite versions, and only on XenForo.

VWE-2017-4030 is a Legal issue (previously disclosed), in which image metadata of uploaded image attachments may have their metadata unintentionally stripped. Many software applications and web sites perform metadata removal by default, but recent court cases have provided precedent that this behavior is illegal in several countries, such as Germany and Australia, as it violates the copyright protections of the original owners of the images. Patches actively attempt to preserve several types of metadata that tend to get lost during image processing, although the focus is in preserving fields that usually contain copyright and ownership-related data. This issue affects all versions of VaultWiki 4.x, except Lite versions. Because of the ongoing legal dubiousness of other attachment systems, we highly recommend using VaultWiki's attachment system over any built-in or add-on attachment systems in your forums, even for non-wiki usage, until such time as they provide patches for this issue.

VWE-2017-4031 is a Permissions Escalation issue, in which pages that have multiple internal types may have Yes-permissions of their lower-importance type overriding the No-permissions of the higher-importance type. This issue affects all versions of VaultWiki 4.x.

VWE-2017-4032 is a Permissions Escalation issue, in which users may be able to upload images that exceed maximum allowed dimensions and/or file size if admin has chosen to store the binary data of uploaded attachments in the database. This issue affects all versions of VaultWiki 4.x, except Lite versions, but only on vBulletin.

VWE-2017-4033 is a Data Loss issue, in which an admin might accidentally remove high-level nodes, and thus contents of those nodes, using the Mass Management Tools delete capability. Patches resolve this issue by removing the ability to delete these types of nodes using this tool. The issue affects VaultWiki 4.0.18 and newer.

VWE-2017-4073 is a Denial of Service issue, in which a crafted response by an external server may be able to consume more memory than is usually allocated to the image proxy. This issue affects VaultWiki 4.0.1 and newer, except Lite versions.

VWE-2017-4075 is a Permissions Escalation issue, in which a malicious user might use a specially crafted image file in order to view thumbnails of any image hosted on the server. The issue affects all versions of VaultWiki 4.x, except Lite versions.

Patches

The following patches, issued September 24, 2017, address the aforementioned issues:

• 4.0.19 Patch Level 2
• 4.0.18 Patch Level 3
• 4.0.17 Patch Level 5
• 4.0.16 Patch Level 6
• 4.0.15 Patch Level 10

We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as they are able.

UPDATE (9/24): The issues listed below now have patches: https://www.vaultwiki.org/articles/218/

As of September 17, 2017, the following issue, which is unresolved at this time, is due for disclosure:

VWE-2017-4030 is a Legal issue, in which image metadata of uploaded image attachments may have their metadata unintentionally stripped. Many software applications and web sites perform metadata removal by default, but recent court cases have provided precedent that this behavior is illegal in several countries, such as Germany or Australia, as it violates the copyright protections of the original owners of the images. We are currently working on patches for this issue, which will attempt to preserve several types of metadata that tend to get lost during image processing:

• EXIF (in JPG and PNG)
• FlashPix (in JPG)
• IPTC (in JPG and PNG)
• XMP (in JPG, PNG, and GIF)
• PNG textual information
• GIF comments and watermarks
• JPEG APP12 segments and comments

Files that are not treated as images by VaultWiki are not victim to accidental loss of metadata. A temporary workaround for this issue is to go to Content > Attachments, and modify each file type so that none are treated as images.

We apologize for the inconvenience that this delay will cause. However, we urge customers to follow the workaround steps outlined above to ensure their sites are on secure legal footing in the interim.

We do not recommend using any upload functions on your site for which accidental removal of metadata may occur, unless you make it clear on the upload page that you do not want any files that have embedded metadata containing copyright, ownership, or credit-related information, and unless you have some policy in place to enforce this rule. This includes avatars, forum attachments, and other types of uploads that do not actively preserve metadata.

As of September 13, 2017, the delayed, but otherwise regularly scheduled, security patches for September are now available.

Issue List

VWE-2017-3978 is a Remote Code Execution issue (previously disclosed) that requires a compromised DNS or a compromised remote server that VaultWiki is using as an import source. The issue affects VaultWiki 4.0.0 Beta 6 - 4.0.17, except lite versions. Versions 4.0.0 Beta 5 and earlier, as well as versions 4.0.18 and later, are not affected by this issue.

VWE-2017-3979 is a Decompression Bomb issue (previously disclosed), which can be exploited to create a Denial of Service condition. The issue affects all versions of VaultWiki 4.x, except lite versions.

VWE-2017-3981 is a Permissions Escalation issue, where it is possible to craft image proxy URLs manually without permission to use functions which generate proxy URLs normally, if the wiki was not installed properly. The issue affects VaultWiki 4.0.1 and later, except lite versions.

VWE-2017-3992 is a Permissions Escalation issue, in which the previously uploaded images are still treated as images even though their dimensions exceed the permitted amounts, if that file-type is newly given image functionality or has its permitted dimensions changed. The issue affects all versions of VaultWiki 4.x, except lite versions.

VWE-2017-3999 is a Data Loss issue in the Admin Panel's Mass Management Tools, in which content that does not meet the search criteria may be accidentally altered or removed if the prepared results are not carefully reviewed. The issue affects VaultWiki 4.0.18 and later.

Patches

The following patches, issued September 13, 2017, address the aforementioned issues:

• 4.0.19 Patch Level 1
• 4.0.18 Patch Level 2
• 4.0.17 Patch Level 4
• 4.0.16 Patch Level 5
• 4.0.15 Patch Level 9
• 4.0.14 Patch Level 12

We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.

Notes

The previously disclosed minor issue VWE-2017-4004 is not addressed by this release, but will be covered in the future. If you desire protection against that issue immediately, please follow the workaround instructions in the disclosure: https://www.vaultwiki.org/articles/2...04-update-9-12

Unfortunately, as of September 9, 2017, the September 2017 security patches for currently supported versions of VaultWiki 4.x are delayed, due to the complexity of issues to be addressed. We expect the patches to be completed this weekend or early this week; however, the following issues which are addressed as part of the patch are already due for disclosure. Please take the outlined steps to secure your installations ahead of the patch releases.

UPDATE 9/13: Patches for a number of the issues below are now available: https://www.vaultwiki.org/articles/216/
UPDATE 9/24: Patches for VWE-2017-4004 are now available: https://www.vaultwiki.org/articles/218/

Partial Issue List

VWE-2017-3978

VWE-2017-3978 is a Remote Code Execution issue that requires a compromised DNS or a compromised remote server that VaultWiki is using as an import source. The issue affects VaultWiki 4.0.0 Beta 6 - 4.0.17, except lite versions. Versions 4.0.0 Beta 5 and earlier, as well as versions 4.0.18 and later, are not affected by this issue.

Workaround: Do not use the importer's $api_path configuration directive while running a vulnerable release.

VWE-2017-3979

VWE-2017-3979 is a Decompression Bomb issue, which can be exploited to create a Denial of Service condition. The issue affects all versions of VaultWiki 4.x, except lite versions.

The workaround involves temporarily disabling affected functions. For versions 4.0.14 and later, perform the following:

1. Set Options > VaultWiki: Content Types > Maximum Disk Usage for All Attachments (MB) = 0. This will reject all new uploads.
2. Set Options > VaultWiki: Miscellaneous > Maximum Disk Usage for All Proxy Images (MB) = 0. This will disable the external image proxy.

After a patch is available and applied, restore these settings to reactivate uploads and proxying.

There is no viable workaround for versions 4.0.13 and earlier. They are no longer supported; update to a more recent version and perform the steps above.

VWE-2017-4004 (update: 9/12)

VWE-2017-4004 is a minor Permissions Escalation issue in which a user may be able to upload an image with a single dimension exceeding their permissions, so long as the total area of the image fits within the permitted amount. This issue affects all versions of VaultWiki 4.x, except lite versions.

Most web software suffers from this issue and it is not generally considered a security issue. For example, the same is possible in standard XenForo or vBulletin; thus, it was also possible in VaultWiki 3.x versions.

If this issue concerns you, you can workaround the issue before a patch is available: go to Content > Attachments, and modify each image type so that the maximum allowed width and maximum allowed height are the same amount.

Notes

Depending on the length of the delay, we may update this notice with information on additional issues. Please keep an eye on this page for updates. When patches are available, we will post a new notice and link from here.

We apologize for the inconvenience that this delay will cause. However, we urge customers to follow the workaround steps outlined above to ensure their sites are secure in the interim.