MyBB Development Blog

Welcome to the MyBB Development Blog. Here you'll find updates relating to the development of future versions of MyBB as well as technical discussions, tips, tricks and modifications to help you get the most out of MyBB.

MyBB 1.4.7 Released – Security Update

By Ryan Gordon | Published June 15th, 2009 | Releases, Updates | Rating: 1 Star2 Stars3 Stars4 Stars5 Stars Loading ... Loading ...

MyBB 1.4.7 is a security update to the MyBB 1.4 series. It fixes 1 high risk security vulnerability. We recommend everybody upgrades to this release immediately or patch their boards with the manual patching instructions below.

This vulnerability affects MyBB 1.4.6. MyBB 1.2 is not affected.

Thank you to Jesse Labrocca for alerting us of this vulnerability.

MyBB 1.4.6 to MyBB 1.4.7 Patch

This patch is only for users running MyBB 1.4.6. If you are running an older version of MyBB then please download MyBB 1.4.7 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

changed_files_1407.zip

If you wish to manually patch your board please download “mybb_1406_patches.txt” and follow the instructions in that file.

mybb_1406_patches.txt

Please Note: You do not have to run the upgrade script for this release.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

MyBB 1.2 is not affected.

Please note all users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.7) MyBB 1.2 is no longer being supported, though security updates for the MyBB 1.2 series will last through December 2009.

Comments

  1. 1.

    Staff Response: Ryan Gordon (June 15th, 2009, 2:01 pm)

    PLEASE DO NOT POST SUPPORT REQUESTS IN THIS BLOG DISCUSSION THREAD – they will be ignored or deleted.

    If you need help please post it at the General Support forum:
    http://community.mybboard.net/forum-81.html

    This comment thread is for feedback and questions regarding the release, and any clarifications.

    Thanks for your cooperation!

  2. 2.

    MHryano (June 15th, 2009, 2:37 pm)

    Thanks, patched with no issues :)

  3. 3.

    SoniQuake (June 15th, 2009, 5:26 pm)

    Thanks for the update. I upgraded my forum. :)

  4. 4.

    Pirata Nervo (June 15th, 2009, 10:41 pm)

    Thanks for the update. Don’t forget to update the Latest News bar on the forum.

    :) Thanks

  5. 5.

    Pepotiger (June 15th, 2009, 11:20 pm)

    thanks, patched.

  6. 6.

    Staff Response: MattRogowski (June 16th, 2009, 12:00 am)

    May I point out again that if you are upgrading from 1.4.6 there is no upgrade script for this upgrade. You just need to upload the changed files or manually make the edits.

  7. 7.

    Alvaro (June 16th, 2009, 2:07 am)

    Upgraded without problems :)

  8. 8.

    Claudio (June 16th, 2009, 3:17 am)

    Thanks mybb group

    I will upgrade asap

  9. 9.

    Bunnykins’ Blog » Blog Archive » MyBB 1.4.7 Released – Security Update (June 16th, 2009, 5:31 am)

    [...] Source: Mybb’s blog [...]

  10. 10.

    Dracoy (June 16th, 2009, 6:16 am)

    One Upgrade by day? =\

    Going to upgrade….

  11. 11.

    Schmeckel (June 16th, 2009, 8:15 am)

    Went as smooth as a babies butt! Thanks myBB, you’re all the greatest. We’re leaving SMF in the dust!

  12. 12.

    catfished (June 16th, 2009, 8:41 am)

    Took less than one minute, thanks Jesse

  13. 13.

    Dekorasyon (June 16th, 2009, 6:32 pm)

    Thank you very much,no problem.

  14. 14.

    Menthix (June 17th, 2009, 12:21 am)

    Thanks for the update. Both files successfully overwritten, yay for ultra simple updating!

  15. 15.

    Nige (June 17th, 2009, 4:40 am)

    Cheers for the update MyBB. Simple and straight forward. Thanks!

  16. 16.

    MyBBLover (June 18th, 2009, 2:35 am)

    MyBB…… You complete () Me :)

    Thanks for the patch. Upgrade was super simple and without issues.

    Keep up the great work !!

    Cheers !

  17. 17.

    Alex (June 20th, 2009, 2:41 pm)

    Many Thanks For The Update , went very smooth and with very little effort required :D

  18. 18.

    RspsLand (June 21st, 2009, 10:56 am)

    Yes thank you , I updated my site. :D

  19. 19.

    saleh (June 23rd, 2009, 8:02 pm)

    Completely updated
    Thank you

  20. 20.

    Argh (June 25th, 2009, 1:39 am)

    Had this exploited and the whole forum was deleted… lesson definitely learned (and patch applied). Thank goodness for my awesome hosts who keep daily backups.

  21. 21.

    Zukdeen (June 26th, 2009, 7:37 am)

    Upgraded ;D
    Thanks, now my forum is going to be better secured ;D

  22. 22.

    Psinetic (June 30th, 2009, 5:52 pm)

    My forum was attacked with an exploit while i was upgrading to the newer 1.4.8 version from 1.4.6 and another from 1.4.5, the attacker gains administrative access via an exploit which is now posted on milw0rm.com searched simply under “mybb”.

    The patch most certainly fixed the problem.

  23. 23.

    KarlE (July 1st, 2009, 2:31 am)

    since I like to know what happens, I downloaded the patch instruction and am applying it manually.
    Seeing that you need to escape birthdayprivacy, it strikes me as odd that the same precaution would not apply to birthday, just a few lines above in user.php.

  24. 24.

    KarlE (July 1st, 2009, 2:36 am)

    please ignore the last remark. looks like birthday is already sanitized at this point.

Post a Comment

Note: * indicates required fields.