Wikka Developer Blog

On 30Nov an individual posted several WikkaWiki exploits that affect 1.3.1 and 1.3.2 (and possibly earlier version). All users should immediately upgrade to 1.3.2-p7 or later. You can download the updates from the WikkaWiki homepage. Simply make a backup of your existing Wikka install, and unzip or untar the update directly over your existing installation. There are no other changes required.

For those looking for more details, please read on…

I’ll address each exploit and whether or not it might affect your WikkaWiki site. You can choose to apply the patches you wish, or you can simply download the entire update and install over your existing installation.

SQL Injection in UPDATE statement (CVE-2011-4448)
This one basically permits a user to carefully modify a UserSettings page, send it back to your server, and extract various fields from your DB or, under some conditions and depending upon which version of MySQL you are using, execute arbitrary SQL statements. If you do not use the UserSettings action (for instance, you have a wiki closed to registrations), then this vulnerability does not apply to you. You can find the patch here.

Unrestricted File Upload (CVE-2011-4449)
This vulnerability is actually an Apache configuration issue and how Apache handles files with multiple extensions, and not a Wikka issue. A properly configured Apache instance should not be vulnerable. To be on the safe side, I simply chose to disable all uploads of files with multiple extensions. You must have INTRANET_MODE or file uploading enabled for this vulnerability to have any effect. If you do not use the files action, then this patch does not apply to you. You can find the patch here.

Arbitrary File Download and Arbitrary File Deletion (CVE-2011-4450)
As with the previous vulnerability, this one will affect you only if you are using the files action. If so, then it is possible to display the contents of any file in your Wikka installation directory, including wikka.config.php. It might be possible to delete arbitrary files as well, but this is dependent upon somehow gaining access as an administrator. You can find the patch here.

Remote Code Execution (CVE-2011-4451)
Successful execution of this vulnerability requires a very limited set of circumstances: (1) Rewrite mode must be disabled, (2) spam logging must be enabled. When both of these instances are true, it is possible to inject arbitrary PHP code into the spamlog, which is then executed by the Apache server upon access. If you have spam logging disabled, OR rewrite mode enabled, this one does not apply to you. You can find the patch here.

Cross-Site Request Forgery (CVE-2011-4452)
This vulnerability affects any site which uses the AdminUsers action: It is possible, with carefully crafted Wikka markup, to arbitrarily delete a user (other than the admin). You can find the patch here.

As always, the Wikka development team is committed to making WikkaWiki as secure as feasible, and we always welcome your input and bug reports.