MyBB 1.6.1 Release & 1.4.14 Update

MyBB 1.6.1 is now available on the MyBB website and is a security and maintenance update to the MyBB 1.6 series. A patch has also been made available to provide the security updates for the MyBB 1.4 series.

This release is to ensure that all users on MyBB 1.6 have the latest fixes, and to patch two medium-risk security issues within MyBB.

This release fixes several reported issues since the release of 1.6.0, which caused some incorrect functionality of MyBB. These bugs have been fixed to provide a more stable version of MyBB for public use.

What’s fixed in this version?

  • Two XSS Vulnerabilities in editpost.php, member.php and newreply.php – Thank you to YGN Ethical Hacker Group for alerting us of these issues.
  • 90+ bug fixes (view all)

This release has been tested by our Software Quality Assurance group.

The following files were changed since the initial MyBB 1.6 release:

  • calendar.php
  • editpost.php
  • forumdisplay.php
  • member.php
  • misc.php
  • modcp.php
  • moderation.php
  • newreply.php
  • newthread.php
  • polls.php
  • portal.php
  • printthread.php
  • private.php
  • reputation.php
  • showthread.php
  • usercp.php
  • xmlhttp.php
  • admin
    • inc
      • class_page.php
      • functions.php
      • functions_view_manager.php
    • jscripts
      • codepress
        • languages
          • css.css
      • imodal.js
    • modules
      • config
        • badwords.php
        • banning.php
        • calendar.php
        • help_documents.php
      • forum
        • announcements.php
        • management.php
      • home
        • credits.php
        • preferences.php
      • style
        • templates.php
        • themes.php
      • tools
        • recount_rebuild.php
      • user
        • groups.php
        • users.php
      • styles
        • sharepoint
          • avatar_gallery.css
  • inc
    • datahandlers
      • post.php
      • user.php
    • languages
      • english
        • admin
          • config_badwords.lang.php
          • forum_management.lang.php
          • tools_recount_rebuild.lang.php
          • tools_statistics.lang.php
        • moderation.lang.php
        • portal.lang.php
        • reputation.lang.php
        • usercp.lang.php
        • xmlhttp.lang.php
      • english.php
    • tasks
      • delayedmoderation.php
      • promotions.php
      • userpruning.php
    • class_core.php
    • class_custommoderation.php
    • class_datacache.php
    • class_moderation.php
    • class_parser.php
    • functions.php
    • functions_forumlist.php
    • functions_indicators.php
    • functions_online.php
    • functions_post.php
    • functions_search.php
    • functions_user.php
  • install
    • resources
      • mybb_theme.xml
      • settings.xml
      • upgrade17.php
      • upgrade18.php
    • index.php
  • jscripts
    • editor.js

* Red represents files that contain security updates
* Green represents new files added in this release

MyBB 1.6.0 to MyBB 1.6.1 Security Patch

This patch is only for users running MyBB 1.6.0. If you are running an older version of MyBB then please download MyBB 1.6.0 from the MyBB site and update to it using the general [Wiki: Upgrading] guide.

If you wish to manually patch your board please download “mybb_1600_patches.txt” and follow the instructions in that file.

mybb_1600_patches.txt

The manual patch set instructions only fixes the security vulnerabilities and is only made available to temporarily secure your forum until you have time to run the complete upgrade.

MyBB 1.6.0 to MyBB 1.6.1 Full Upgrade

When upgrading from 1.6.0, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files here:

changed_files_1601.zip

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

This update does require running the upgrader.
There are database schema, language string, or template changes in this version.

You must then check for modified templates using the instructions below.

Theme and template changes

Using the “Find Updated” link under the “Templates” page in the Admin CP you can find a list of the templates that have changed in this release that you’ve got one or more custom copies of.

After identifying changed templates using the tool you can either revert your custom template to the default (delete it) or use the “diff” tool to perform a difference analysis on your custom template and the default.

“Revert required” indicates that for this template to work correctly with MyBB 1.6.1 you’ll either need to revert it to the default or modify your custom template to include the changes in the default. If a revert is not required your custom version of the template should work perfectly fine.

Template changes

Since MyBB 1.6.0 the following templates have had changes to them:

  • portal_latestthreads_thread
  • showthread_poll_option_multiple
  • usercp_nav_misc

* Red represents the template must be updated or reverted to fix security problems

Language file changes

Since MyBB 1.6.0 the following language files have had changes to them:

  • moderation.lang.php
  • portal.lang.php
  • reputation.lang.php
  • usercp.lang.php
  • xmlhttp.php
  • admin
    • config_badwords.lang.php
    • forum_management.lang.php
    • tools_recount_rebuild.lang.php
    • tools_statistics.lang.php

Either update your language packs to include the changes in these files or revert to the standard English language pack.

MyBB 1.4.14 Update

MyBB 1.4.14 was released on August 3rd 2010 to provide full PHP 5.3 functionality as well as improved attachment management. If you’re still using 1.4.13, it is recommended to upgrade to 1.4.14. You can do this by following the instructions in the MyBB 1.4.14 Release Announcement. The changed files package has been updated with the latest security fixes.

Please note all users of the 1.4.x series are urged to upgrade to the latest release of MyBB (1.6.1).

This patch is only for users running MyBB 1.4.14 or any previous release of the MyBB 1.4 series. Please download “mybb_1414_patches.txt” below and follow the manual patching instructions.

mybb_1414_patches.txt

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

21 thoughts on “MyBB 1.6.1 Release & 1.4.14 Update

  1. PLEASE DO NOT POST SUPPORT REQUESTS IN THIS BLOG DISCUSSION THREAD – they will be ignored or deleted.

    If you need help please post it at the General Support forum:
    http://community.mybboard.net/forum-127.html

    This comment thread is for feedback and questions regarding the release, and any clarifications.

    Thanks for your cooperation.

    • 1.4.14 was released back in August, so it isn’t new. The updates today are to fix security issues in that release (which we still support 1.4 for).

  2. ….member.php is not included in the zip file.

    And:
    Why does the changed_files_1601.zip contain files that are not mentioned in the listing above?cannot find member.php in the changed_file.zip
    although present in the changed_files.zip this file is not mentioned in the txt: changed_files_1601.zip
    although present in the changed_files.zip this file is not mentioned in the txt: stylesheet.css
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade.php
    although present in the changed_files.zip this file is not mentioned in the txt: bullet.gif
    although present in the changed_files.zip this file is not mentioned in the txt: content_bg.gif
    although present in the changed_files.zip this file is not mentioned in the txt: error_bg.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-admin.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-config.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-createtables.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-dbconfig.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-finish.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-license.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-requirements.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-tablepopulate.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-theme.gif
    although present in the changed_files.zip this file is not mentioned in the txt: h2-welcome.gif
    although present in the changed_files.zip this file is not mentioned in the txt: index.html
    although present in the changed_files.zip this file is not mentioned in the txt: logo.gif
    although present in the changed_files.zip this file is not mentioned in the txt: submit_bg.gif
    although present in the changed_files.zip this file is not mentioned in the txt: tcat_bg.gif
    although present in the changed_files.zip this file is not mentioned in the txt: thead_bg.gif
    although present in the changed_files.zip this file is not mentioned in the txt: adminoptions.xml
    although present in the changed_files.zip this file is not mentioned in the txt: adminviews.xml
    although present in the changed_files.zip this file is not mentioned in the txt: index.html
    although present in the changed_files.zip this file is not mentioned in the txt: language.lang.php
    although present in the changed_files.zip this file is not mentioned in the txt: mysql_db_inserts.php
    although present in the changed_files.zip this file is not mentioned in the txt: mysql_db_tables.php
    although present in the changed_files.zip this file is not mentioned in the txt: output.php
    although present in the changed_files.zip this file is not mentioned in the txt: pgsql_db_tables.php
    although present in the changed_files.zip this file is not mentioned in the txt: sqlite_db_tables.php
    although present in the changed_files.zip this file is not mentioned in the txt: tasks.xml
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade1.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade10.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade11.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade12.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade13.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade14.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade15.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade16.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade2.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade3.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade4.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade5.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade6.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade7.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade8.php
    although present in the changed_files.zip this file is not mentioned in the txt: upgrade9.php
    although present in the changed_files.zip this file is not mentioned in the txt: usergroups.xml
    although present in the changed_files.zip this file is not mentioned in the txt: calendars.php

  3. Thanks for the fix. I found one issue related to this statement: “If you’re still using 1.4.13, it is recommended to upgrade to 1.4.14. You can do this by following the instructions in the MyBB 1.4.14 Release Announcement. The changed files package has been updated with the latest security fixes.” I interpret this to mean that I should see see the mybb_1414_patches.txt fixes within changed_files_1414.zip on http://blog.mybb.com/2010/08/03/mybb-1-4-14-released-%E2%80%93-maintenance-release/ – but I do not see the fixes there.

  4. @Crocodie – A full list of issues that have been fixed can be found at the development tracker (view list). I’ve updated the blog post to show this.

    @dunno – the changed files package has been updated with member.php. An announcement in the community will be made shortly. As for the files you’ve mentioned that are included in the package but not mentioned, those are files located in the ./install/ directory – which is required to upgrade your forum.

    @jkg011 – Apologies for the misunderstanding. “The changed files package has been updated with the latest security fixes” means that editpost, newreply and member.php in the changed files package have been updated with the security patches. If you’ve already upgraded to 1.4.14, or are not wanting to move from 1.4.13 to 1.4.14 for whatever reason, you should apply the mybb_1414_patches.txt file to your forum.

  5. I was told that there should be a global.php file included in the changed file zip. I don’t see it in there.

    Should it be there?

  6. @Goggalor Yeah somehow that got missed too, that was a minor edit though and won’t cause anything to go wrong. Both the member.php and global.php that weren’t in the changed files package will be in the next maintenance release to make sure everybody has them.

Comments are closed.