Wikka Developer Blog

WikkaWiki is alive and well!

Brian — Thu, 11 Apr 2013 05:27:03 +0000

I wanted to apologize to those who have discovered several of our sites, including the main site and docs site, have been down the past few days. Our hosting provider of 6+ years unexpectedly and without justification pulled the plug on us, so we are scrambling to migrate everything to a new hosting provider. Please be assured WikkaWiki is alive and well, and we have no plans of closing shop. We appreciate each and every one of you who use WikkaWiki to make your lives easier or more fun, and hope you’ll stick with us during this transition. As always, your comments are appreciated!

Wikka 1.3.4 release announcement

Brian — Sun, 10 Feb 2013 18:27:58 +0000

WikkaWiki 1.3.4 has been released. There is no pressing need to upgrade from 1.3.3; most changes are minor bug fixes, one enhancement (usergroup ACLs) and no security fixes. However, if you are still running a version prior to 1.2p7, you really, really need to upgrade. As always, comments are appreciated!

Wikka 1.3.3 released

Brian — Sun, 03 Feb 2013 23:49:45 +0000

Apparently I was remiss in announcing the release of 1.3.3; I apologize for the oversight. You can download the latest version here. This is considered a minor upgrade, so 1.3.2 users really have no compelling need to upgrade. However, if you are running any version prior to 1.3.2p7, please be aware that there are some serious security issues with these versions that can permit hackers to access your database and change/destroy data, so upgrading to 1.3.3 from any version prior to 1.2p7 is imperative!

As always, your comments and suggestions are always welcome!

Security updates for 1.3.1/1.3.2

Brian — Sun, 04 Dec 2011 18:18:44 +0000

On 30Nov an individual posted several WikkaWiki exploits that affect 1.3.1 and 1.3.2 (and possibly earlier versions). All users should immediately upgrade to 1.3.2-p7 or later. You can download the updates from the WikkaWiki homepage. Simply make a backup of your existing Wikka install, and unzip or untar the update directly over your existing installation. There are no other changes required.

For those looking for more details, please read on…

I’ll address each exploit and whether or not it might affect your WikkaWiki site. You can choose to apply the patches you wish, or you can simply download the entire update and install over your existing installation.

SQL Injection in UPDATE statement (CVE-2011-4448)
This one basically permits a user to carefully modify a UserSettings page, send it back to your server, and extract various fields from your DB or, under some conditions and depending upon which version of MySQL you are using, execute arbitrary SQL statements. If you do not use the UserSettings action (for instance, you have a wiki closed to registrations), then this vulnerability does not apply to you. You can find the patch here.

Unrestricted File Upload (CVE-2011-4449)
This vulnerability is actually an Apache configuration issue and how Apache handles files with multiple extensions, and not a Wikka issue. A properly configured Apache instance should not be vulnerable. To be on the safe side, I simply chose to disable all uploads of files with multiple extensions. You must have INTRANET_MODE or file uploading enabled for this vulnerability to have any effect. If you do not use the files action, then this patch does not apply to you. You can find the patch here.

Arbitrary File Download and Arbitrary File Deletion (CVE-2011-4450)
As with the previous vulnerability, this one will affect you only if you are using the files action. If so, then it is possible to display the contents of any file in your Wikka installation directory, including wikka.config.php. It might be possible to delete arbitrary files as well, but this is dependent upon somehow gaining access as an administrator. You can find the patch here.

Remote Code Execution (CVE-2011-4451)
Successful execution of this vulnerability requires a very limited set of circumstances: (1) Rewrite mode must be disabled, (2) spam logging must be enabled. When both of these instances are true, it is possible to inject arbitrary PHP code into the spamlog, which is then executed by the Apache server upon access. If you have spam logging disabled, OR rewrite mode enabled, this one does not apply to you. You can find the patch here.

Cross-Site Request Forgery (CVE-2011-4452)
This vulnerability affects any site which uses the AdminUsers action: It is possible, with carefully crafted Wikka markup, to arbitrarily delete a user (other than the admin). You can find the patch here.

As always, the Wikka development team is committed to making WikkaWiki as secure as feasible, and we always welcome your input and bug reports.