MyBB 1.4.12 is now available on the MyBB website and is a security and maintenance update to MyBB 1.4.11. This will be the last maintenance release of the MyBB 1.4 series. We will still continue to provide security updates for the MyBB 1.4 series.

This release is to ensure that all users on 1.4.11 have the latest fixes, and to patch two medium-risk security issues and a low risk security issue within MyBB.

Thank you to Stefan Esser and Labrocca for alerting us of these issues.

What’s fixed in this version?

• #309 – Direct access of some files generates PHP errors
• #374 – editpost editpost_start hook run twice
• #466 – Last post date after custom merge
• #556 – Wrong additional groups in ACP
• #565 – Custom view in browse users error
• #575 – Redundant Code in inc/class_parser.php
• #583 – UTF8-conversion fails with PostgreSQL
• #586 – Posts after updating the attachments of drafts
• #592 – Forum subrscription displaying always the wrong image
• #593 – Image upload
• #594 – portal_pms template not getting cached
• #597 – $yearsel not defined
• #598 – Split thread – post icon
• #604 – Make private event public
• #606 – Server Statistics – Hostname and hosturl not working
• #609 – Wrong first day of week in week view
• #613 – Error is invalid smilie path is used
• #618 – Alternating trows on profile page
• #621 – global_pm_alert template typo dismis_notice
• #622 – Reputation by a deleted user
• #623 – Upgrade 1.1.18 -> 1.4.11
• #627 – private_nomessages template not getting cached
• #632 – Settings not selected if error appears
• #634 – firstpost of copied thread set to 0
• #643 – Missing field when fetching latest announcements into portal page
• #647 – function generate_thumbnail generates warning
• #650 – Status Icon of Forum not shown on Forum Subscription List
• #660 – forumdisplay_rules not cached
• #662 – member.php and $referrals
• #672 – threadviews task won’t disable from settings change
• #673 – Typo in member.lang.php $l[‘hide_dob’]
• #678 – Hard-coded language string in /admin/modules/style/templates.php
• #684 – Typo in postbit when ignoring users
• #685 – Akismet “unmark” does not reduce number of “akismetstopped” field.
• #688 – Old avatars are not deleted
• #689 – Usercp.php + Modcp.php – XHTML 1.0 Problem ($bdaymonthsel)
• #703 – Mass Mail Auto Generated Text Version
• #716 – Error reads “[WRITE] Unable to slave database”, should be select
• #720 – UTF8 conversion causes mysql error on blob/text fields
• #722 – Group Join Requests From Guests
• #727 – Converting a forum with threads to a category should be disallowed
• #728 – Post Edit bypasses max. [img] MyCodes per Post
• #749 – Portal “Since then, there have been:” counts unapproved threads and drafts
• #750 – Theme importing ignored error
• #759 – Stars are shown on user profile even if they are set to 0 for the group
• #764 – attachment MyCode isn’t parsed in feeds
• #774 – mysqli_pconnect function not exists
• #778 – db reconstruction in inc/functions.php $config check fails
• #791 – Ratings column of forum display ignores group settings
• #794 – Badwords preg_quote fix
• #802 – Stars are shown in Postbit even if they are set to zero and no image is linked
• #809 – Unviewable threads showing on portal
• #810 – Portal post shows smilies even when set not to in post
• #812 – allow [img] in posts depends on MyCode being allowed
• #816 – Duplicate htmlspecialchar in inc/functions_online.php
• #821 – syndication.php errors
• #822 – Use of $_POST in ./xmlhttp.php
• #835 – MyBB, dl(), and PHP 5.3.x – no dl() in many 5.3.x releases
• #836 – Debug code left in inc/class_mailhandler.php
• #843 – Improvements to PHP’s mt_rand RNG seeding
• #849 – We can set date of birth as future date
• #852 – CSRF issue in usercp2.php
• #862 – Rebuilding Attachment Thumbnails Plugin Hook Name
• #870 – Missing warning messages
• #871 – Datahandler merge ignores updating post message variable

This release has been tested by our Software Quality Assurance group.

This update does require running the upgrader.
There are database schema, language string, or template changes in this version.

MyBB 1.4.11 to MyBB 1.4.12 Patch

This patch is only for users running MyBB 1.4.11. If you are running an older version of MyBB then please download MyBB 1.4.12 from the MyBB site and update to it using the general [Wiki: Upgrading] guide.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
changed_files_1412.zip

A manual patch file is not being offered for this release due to the multitude of changes required to implement the security fix. We apologize for any inconvenience this causes.

The following files were changed since the initial MyBB 1.4.11 release:

• announcements.php
• calendar.php
• captcha.php
• editpost.php
• forumdisplay.php
• managegroup.php
• member.php
• modcp.php
• newreply.php
• newthread.php
• portal.php
• private.php
• reputation.php
• showthread.php
• syndication.php
• usercp.php
• usercp2.php
• xmlhttp.php
• jscripts
  • inline_moderation.js
• install
  • resources
    • mybb_theme.xml
    • upgrade16.php
• admin
  • index.php
  • modules
    • forum
      • management.php
    • user
      • mass_mail.php
      • users.php
    • config
      • mod_tools.php
      • settings.php
      • smilies.php
    • tools
      • recount_rebuild.php
      • system_health.php
    • style
      • templates.php
      • themes.php
• inc
  • class_core.php
  • class_custommoderation.php
  • class_mailhandler.php
  • class_moderation.php
  • class_parser.php
  • db_mysqli.php
  • functions.php
  • functions_image.php
  • functions_online.php
  • functions_serverstats.php
  • functions_upload.php
  • functions_user.php
  • init.php
  • plugins
    • akismet.php
  • languages
    • english
      • global.lang.php
      • member.lang.php
      • messages.lang.php
      • warnings.lang.php
      • admin
        • forum_management.lang.php
        • user_groups.lang.php
  • datahandlers
    • post.php
    • user.php
  • cachehandlers
    • eaccelerator.php
    • memcache.php
    • xcache.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

All users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.12) MyBB 1.2 is no longer being supported and security updates for the MyBB 1.2 series ceased as of January 1, 2010.

Thank you,
MyBB Team

Important Update: April 16, 2010

If you applied the MyBB 1.4.12 update before April 16, 2010 7:00 UTC we recommend you redownload the changed file package and reupdate the inc/functions.php file to your forum. The change fixes an issue identified in the previous hot patch relating to the random number generator. We are sincerely sorry for the inconvenience caused by this.

Thank you for your cooperation.