MyBB 1.6.3 and 1.4.16 are now available to download. They fix 1 high risk vulnerability and 1 low risk vulnerability. We recommend everyone upgrades to this release immediately or patch their boards with the manual patching instructions below.

Thanks to Charlie Somerville and thebod for discovering them. These vulnerabilities are:

• An SQL injection vulnerability in showthread.php (internal report)
• Issue #1487 – CSRF vulnerability in misc.php?action=markread

In addition to the vulnerabilities, the updates also fix the following issues:

• SQL error on malformed search keywords
• IE9 Javascript Issues (1.6.3 only)
• MySQL 5.5 compatibility (1.6.3 only)

All other outstanding issues will be resolved in the next maintainence release.

For MyBB 1.6

The update to MyBB 1.6.3 also upgrades the Prototype and Scriptaculous javascript libraries to their latest versions. This is to help your MyBB forum work properly with Internet Explorer 9.

MyBB 1.6.2 to 1.6.3 Patch
This patch is only for those users running MyBB 1.6.2. If you’re running an older version of MyBB then please download the full version and update to it.

For help upgrading, see the MyBB Wiki: Upgrading.

Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.

1.6.3 changed files

You are required to run the upgrader for 1.6.3. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.

Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.

If you wish to manually patch your board please download “1.6.3 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.6.3 template patches” and follow the instructions – you must do these for all custom themes you have installed.

1.6.3 patches
1.6.3 template patches

Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.

Changed Files since 1.6.2

• inc
  • class_core.php
  • functions_search.php
• install
  • resources
    • mysql_db_tables.php
    • mybb_theme.xml
    • upgrade12.php
    • upgrade17.php
    • upgrade19.php
    • upgrade3.php
    • upgrade5.php
  • upgrade.php
• jscripts
  • controls.js
  • dragdrop.js
  • effects.js
  • general.js
  • prototype.js
  • scriptaculous.js
  • slider.js
  • thread.js
• forumdisplay.php
• index.php
• misc.php
• showthread.php

* Red represents files that contain security updates
* Green represents new files added in this release

For MyBB 1.4

For MySQL 5.5 compatibility and IE9 javascript fixes, please upgrade to MyBB 1.6.3. Support for MyBB 1.4 will be ending on 1st July 2011, after which there will be no more security updates for the 1.4 series.

1.4.15 to 1.4.16 Patches
This patch is only for those users running MyBB 1.4.15. If you’re running an older version of MyBB 1.4, and don’t want to upgrade to 1.6 just yet, then please the latest version of MyBB 1.4 from the MyBB Wiki: Versions.

For help upgrading, see the MyBB Wiki: Upgrading.

Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.

1.4.15 changed files

You are required to run the upgrader for 1.4.16. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.

Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.

If you wish to manually patch your board please download “1.4.16 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.4.16 template patches” and follow the instructions – you must do these for all custom themes you have installed.

1.4.15 patches
1.4.15 template patches

Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.

Changed Files since 1.4.15

• inc
  • class_core.php
  • functions_search.php
• install
  • resources
    • mybb_theme.xml
  • upgrade.php
• jscripts
  • general.js
• forumdisplay.php
• index.php
• misc.php
• showthread.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team