Wikka Developer Blog

WikkaWiki release 1.1.6.7 is now available for downloading. This version introduces no new functionality, but does address security issues raised in a recent Secunia advisory. All WikkaWiki users are encouraged to update to this latest version.

Note: The WikkaWiki devs have released 1.1.6.7 to address this advisory.

Secunia recently issued a security advisory for WikkaWiki 1.1.6.6 (the most recent release). Secunia has identified this vulnerability as “less critical.” The Wikka devs have also extensively analyzed this exploit, and have determined that (1) the exploit does exist, and (2) the exploit requires that a user with administrator rights is logged in. So long as Wikka administrators are limiting access to their wikis to a trusted subset of users, we do not believe there’s an urgent need to limit access to existing WikkaWiki installations while we prepare a security update.

We have always prided ourselves on the attention we give to making Wikka one of the most secure wiki environments available, and will be releasing 1.1.6.7 in the very near future to address the issues raised in the Secunia advisory. In the meantime, we would suggest Wikka admins continue to exercise common sense and limit administrative access to only those users whom you explicitly trust.

Usually one doesn’t go out of the way to thank someone who causes damage to other people’s stuff, but I felt it would be an appropriate gesture in this case. As some of you might have noticed, the main WikkaWiki site was again the target of a scripted attack in which automated user registrations were used to vandalize various pages on the site. While the damage was only temporary (all pages were fully restored, and the perl script used for the restoration is available upon request), the attack prompted us to re-evaluate our priorities given the limited amount of development resources available (namely, the time we volunteer to keep Wikka secure and feature-rich).

As a result of this introspection, the decision has been made to incorporate many of the security features currently in “beta” status on the main Wikka site into the main development trunk, and to create release “branches” that will allow us to continue to focus on providing new functionality while still providing the latest in security measures.

What does all this mean to someone who just wants to have a secure Wikka site? Since we are on the verge of releasing 1.1.7, you will have a choice of either being able to download the feature-rich 1.1.7 version (when it’s available), or the more secure, but less feature-rich, “trunk” version. After 1.1.7 is released, those new features will be merged with the security features in the “trunk” for a subsequent release.

Why would someone want to (temporarily) opt for more features and less security? Wikis running on an intranet probably aren’t prime targets for scripted attacks. Those sites that have restricted and/or disabled user registrations are likewise less vulnerable. For these types of sites, upgrading to 1.1.7 makes perfect sense.

We’ll be posting more details on these changes in the near future. I just wanted to take a few moments to let everyone know what we are doing in order to support both security and functionality upgrades without having to sacrifice one for the other.

And to take a few moments to thank our most recent vandal in giving us that “push” we needed to evaluate our development process and priorities.

–Brian

While security has never been an afterthought with the Wikka developers, recent events have caused us to re-evaluate development priorities to accomodate security improvements. The recent release of 1.1.6.3-RC1 is an example of our renewed focus towards end-user security by addressing several minor security issues, including a native PHP (non-Wikka) bug. Another example: A recent scripted vandalism attack against the WikkaWiki server and other WikkaWiki-hosted sites has led us to re-evaluate the login registration procedure to thwart scripted auto-registration.

The jumping-off point for those interested in Wikka security will be the WikkaSecurity page. Currently highlighted is our process for releasing digital signatures and checksums for Wikka releases as of 1.1.6.2, along with a quick tutorial covering the how-tos of verifying signatures and checksums. As new security processes are documented, we’ll be refactoring this page and creating links to other security-related pages so you can find security information quickly in one place.

As always, your comments are welcome and appreciated. You can contact any of the Wikka Development Team via e-mail, or even chat with us on IRC (#wikka at irc.freenode.net).

–Brian