For those looking for more details, please read on…

I’ll address each exploit and whether or not it might affect your WikkaWiki site. You can choose to apply the patches you wish, or you can simply download the entire update and install over your existing installation.

SQL Injection in UPDATE statement (CVE-2011-4448)
This one basically permits a user to carefully modify a UserSettings page, send it back to your server, and extract various fields from your DB or, under some conditions and depending upon which version of MySQL you are using, execute arbitrary SQL statements. If you do not use the UserSettings action (for instance, you have a wiki closed to registrations), then this vulnerability does not apply to you. You can find the patch here.

Unrestricted File Upload (CVE-2011-4449)
This vulnerability is actually an Apache configuration issue and how Apache handles files with multiple extensions, and not a Wikka issue. A properly configured Apache instance should not be vulnerable. To be on the safe side, I simply chose to disable all uploads of files with multiple extensions. You must have INTRANET_MODE or file uploading enabled for this vulnerability to have any effect. If you do not use the files action, then this patch does not apply to you. You can find the patch here.

Arbitrary File Download and Arbitrary File Deletion (CVE-2011-4450)
As with the previous vulnerability, this one will affect you only if you are using the files action. If so, then it is possible to display the contents of any file in your Wikka installation directory, including wikka.config.php. It might be possible to delete arbitrary files as well, but this is dependent upon somehow gaining access as an administrator. You can find the patch here.

Remote Code Execution (CVE-2011-4451)
Successful execution of this vulnerability requires a very limited set of circumstances: (1) Rewrite mode must be disabled, (2) spam logging must be enabled. When both of these instances are true, it is possible to inject arbitrary PHP code into the spamlog, which is then executed by the Apache server upon access. If you have spam logging disabled, OR rewrite mode enabled, this one does not apply to you. You can find the patch here.

Cross-Site Request Forgery (CVE-2011-4452)
This vulnerability affects any site which uses the AdminUsers action: It is possible, with carefully crafted Wikka markup, to arbitrarily delete a user (other than the admin). You can find the patch here.

As always, the Wikka development team is committed to making WikkaWiki as secure as feasible, and we always welcome your input and bug reports.

I just wrapped up a manual check of every link on the WikkaSites page. Tedious? Yes…but the results were worth every moment spent on this thankless task. I whittled down the list of known Wikka sites from 537 to a more modest (and accurate) 181 links. A few unreachable sites I gave the benefit of the doubt; I’ll recheck again later in the year and clean those up as well.

Of course, I might have inadvertently removed a working site (some sites are so cleverly disguised I had to delve into the page source or resort to some other tricks to figure out whether or not they were really running Wikka). If that’s the case, feel free to add it back to the WikkaSites page. I’ll try to do a better job keeping this list current.

I was hoping to have full UTF-8 support in the next release of WikkaWiki slated for September, but sadly we’ve lost some valuable UTF-8 dev support along the way, so this might not happen until the release next March. If anyone would like to help, please let me know — the work is just about done, so I can catch you up to speed very quickly on the few tasks that remain.

For those of you returning to school, as a student, teacher, professor, or support staff: Have a great school year! And if you are as student, please remember the world needs more great teachers and instructors dedicated to learning in all its forms, so if you feel the calling, answer the call!

Your comments, suggestions, and bug reports are always welcome. Join one of our low-volume mailing lists, or pop in at the Wikka Lounge for a short chat. You can also access our bug tracker and file bug reports and enhancement requests directly.

Enjoy!