For those looking for more details, please read on…

I’ll address each exploit and whether or not it might affect your WikkaWiki site. You can choose to apply the patches you wish, or you can simply download the entire update and install over your existing installation.

SQL Injection in UPDATE statement (CVE-2011-4448)
This one basically permits a user to carefully modify a UserSettings page, send it back to your server, and extract various fields from your DB or, under some conditions and depending upon which version of MySQL you are using, execute arbitrary SQL statements. If you do not use the UserSettings action (for instance, you have a wiki closed to registrations), then this vulnerability does not apply to you. You can find the patch here.

Unrestricted File Upload (CVE-2011-4449)
This vulnerability is actually an Apache configuration issue and how Apache handles files with multiple extensions, and not a Wikka issue. A properly configured Apache instance should not be vulnerable. To be on the safe side, I simply chose to disable all uploads of files with multiple extensions. You must have INTRANET_MODE or file uploading enabled for this vulnerability to have any effect. If you do not use the files action, then this patch does not apply to you. You can find the patch here.

Arbitrary File Download and Arbitrary File Deletion (CVE-2011-4450)
As with the previous vulnerability, this one will affect you only if you are using the files action. If so, then it is possible to display the contents of any file in your Wikka installation directory, including wikka.config.php. It might be possible to delete arbitrary files as well, but this is dependent upon somehow gaining access as an administrator. You can find the patch here.

Remote Code Execution (CVE-2011-4451)
Successful execution of this vulnerability requires a very limited set of circumstances: (1) Rewrite mode must be disabled, (2) spam logging must be enabled. When both of these instances are true, it is possible to inject arbitrary PHP code into the spamlog, which is then executed by the Apache server upon access. If you have spam logging disabled, OR rewrite mode enabled, this one does not apply to you. You can find the patch here.

Cross-Site Request Forgery (CVE-2011-4452)
This vulnerability affects any site which uses the AdminUsers action: It is possible, with carefully crafted Wikka markup, to arbitrarily delete a user (other than the admin). You can find the patch here.

As always, the Wikka development team is committed to making WikkaWiki as secure as feasible, and we always welcome your input and bug reports.

Your comments, suggestions, and bug reports are always welcome. Join one of our low-volume mailing lists, or pop in at the Wikka Lounge for a short chat. You can also access our bug tracker and file bug reports and enhancement requests directly.

Enjoy!

1.2 is a major release introducing new functionality such as: support for 100%-modular themes, a completely redesigned default layout, menu templates, an advanced table markup, among other enhancements.

The full feature list is available in the release notes, but we will publish in the next days a series of posts to guide users through the new features of Wikka 1.2.

Let me thank Brian for his priceless work on this release, Tormod (who finally sees his brilliant table markup included in an official release) as well as all of our contributors that helped us fix bugs and address issues affecting previous versions over the last months.

Wikka 1.2 is available for download from this page.