MyBB 1.6.3 and 1.4.16 Security Update

MyBB 1.6.3 and 1.4.16 are now available to download. They fix 1 high risk vulnerability and 1 low risk vulnerability. We recommend everyone upgrades to this release immediately or patch their boards with the manual patching instructions below.

Thanks to Charlie Somerville and thebod for discovering them. These vulnerabilities are:

In addition to the vulnerabilities, the updates also fix the following issues:

All other outstanding issues will be resolved in the next maintainence release.

For MyBB 1.6

The update to MyBB 1.6.3 also upgrades the Prototype and Scriptaculous javascript libraries to their latest versions. This is to help your MyBB forum work properly with Internet Explorer 9.

MyBB 1.6.2 to 1.6.3 Patch
This patch is only for those users running MyBB 1.6.2. If you’re running an older version of MyBB then please download the full version and update to it.

For help upgrading, see the MyBB Wiki: Upgrading.

Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.

1.6.3 changed files

You are required to run the upgrader for 1.6.3. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.

Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.

If you wish to manually patch your board please download “1.6.3 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.6.3 template patches” and follow the instructions – you must do these for all custom themes you have installed.

1.6.3 patches
1.6.3 template patches

Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.

Changed Files since 1.6.2

  • inc
    • class_core.php
    • functions_search.php
  • install
    • resources
      • mysql_db_tables.php
      • mybb_theme.xml
      • upgrade12.php
      • upgrade17.php
      • upgrade19.php
      • upgrade3.php
      • upgrade5.php
    • upgrade.php
  • jscripts
    • controls.js
    • dragdrop.js
    • effects.js
    • general.js
    • prototype.js
    • scriptaculous.js
    • slider.js
    • thread.js
  • forumdisplay.php
  • index.php
  • misc.php
  • showthread.php

* Red represents files that contain security updates
* Green represents new files added in this release

For MyBB 1.4

For MySQL 5.5 compatibility and IE9 javascript fixes, please upgrade to MyBB 1.6.3. Support for MyBB 1.4 will be ending on 1st July 2011, after which there will be no more security updates for the 1.4 series.

1.4.15 to 1.4.16 Patches
This patch is only for those users running MyBB 1.4.15. If you’re running an older version of MyBB 1.4, and don’t want to upgrade to 1.6 just yet, then please the latest version of MyBB 1.4 from the MyBB Wiki: Versions.

For help upgrading, see the MyBB Wiki: Upgrading.

Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.

1.4.15 changed files

You are required to run the upgrader for 1.4.16. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.

Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.

If you wish to manually patch your board please download “1.4.16 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.4.16 template patches” and follow the instructions – you must do these for all custom themes you have installed.

1.4.15 patches
1.4.15 template patches

Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.

Changed Files since 1.4.15

  • inc
    • class_core.php
    • functions_search.php
  • install
    • resources
      • mybb_theme.xml
    • upgrade.php
  • jscripts
    • general.js
  • forumdisplay.php
  • index.php
  • misc.php
  • showthread.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

17 thoughts on “MyBB 1.6.3 and 1.4.16 Security Update

  1. Why don’t you use pre-compressed JS-Files? The Prototype-Library gained about 50% in size and although most servers support and use gzip you always can save a few other bytes by using a pre-crunched version (see google pagespeed for example).

    Thanks.

  2. @Anman – that’s just the name of the ZIP archive. They’re changed files from 1.6.2. They do have the updates for 1.6.3.

    @Mike – if there were “official” compressed libraries, then yes we would package them with MyBB. Otherwise, it’s up to you to decide which compression utilities you run. :)

  3. Many thanks for releasing 1.6.3 and fixing the MySQL-injection so fast!

    I recommend to everyone to install 1.6.3, it’s very important!

    And thank you MyBB for handling these issues and for the credits :)

  4. Thanks mybb Group

    @leefish Glad to hear that. XThreads is my concern with google seo when a new core update arrives

  5. FYI: Mybb 1.603 Changed files = named “mybb_1602_changed_files.zip”

    It´s just wrong named, 1.602 changed files were 54kb (1.601>1.602), this new update is 356kb (1.602>1.603)

    Thanks mybb Staff

  6. Upgraded smootly without problems. And I have a lot of “critical” mods:

    – mybb seo
    – Xthreads
    – jsnippets
    – etc

    Thanks guys

Comments are closed.