MyBB 1.6.3 and 1.4.16 are now available to download. They fix 1 high risk vulnerability and 1 low risk vulnerability. We recommend everyone upgrades to this release immediately or patch their boards with the manual patching instructions below.
Thanks to Charlie Somerville and thebod for discovering them. These vulnerabilities are:
- An SQL injection vulnerability in showthread.php (internal report)
- Issue #1487 – CSRF vulnerability in misc.php?action=markread
In addition to the vulnerabilities, the updates also fix the following issues:
- SQL error on malformed search keywords
- IE9 Javascript Issues (1.6.3 only)
- MySQL 5.5 compatibility (1.6.3 only)
All other outstanding issues will be resolved in the next maintainence release.
For MyBB 1.6
The update to MyBB 1.6.3 also upgrades the Prototype and Scriptaculous javascript libraries to their latest versions. This is to help your MyBB forum work properly with Internet Explorer 9.
MyBB 1.6.2 to 1.6.3 Patch
This patch is only for those users running MyBB 1.6.2. If you’re running an older version of MyBB then please download the full version and update to it.
For help upgrading, see the MyBB Wiki: Upgrading.
Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.
You are required to run the upgrader for 1.6.3. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.
Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.
If you wish to manually patch your board please download “1.6.3 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.6.3 template patches” and follow the instructions – you must do these for all custom themes you have installed.
1.6.3 patches
1.6.3 template patches
Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.
Changed Files since 1.6.2
- inc
- class_core.php
- functions_search.php
- install
- resources
- mysql_db_tables.php
- mybb_theme.xml
- upgrade12.php
- upgrade17.php
- upgrade19.php
- upgrade3.php
- upgrade5.php
- upgrade.php
- resources
- jscripts
- controls.js
- dragdrop.js
- effects.js
- general.js
- prototype.js
- scriptaculous.js
- slider.js
- thread.js
- forumdisplay.php
- index.php
- misc.php
- showthread.php
* Red represents files that contain security updates
* Green represents new files added in this release
For MyBB 1.4
For MySQL 5.5 compatibility and IE9 javascript fixes, please upgrade to MyBB 1.6.3. Support for MyBB 1.4 will be ending on 1st July 2011, after which there will be no more security updates for the 1.4 series.
1.4.15 to 1.4.16 Patches
This patch is only for those users running MyBB 1.4.15. If you’re running an older version of MyBB 1.4, and don’t want to upgrade to 1.6 just yet, then please the latest version of MyBB 1.4 from the MyBB Wiki: Versions.
For help upgrading, see the MyBB Wiki: Upgrading.
Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.
You are required to run the upgrader for 1.4.16. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.
Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.
If you wish to manually patch your board please download “1.4.16 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.4.16 template patches” and follow the instructions – you must do these for all custom themes you have installed.
1.4.15 patches
1.4.15 template patches
Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.
Changed Files since 1.4.15
- inc
- class_core.php
- functions_search.php
- install
- resources
- mybb_theme.xml
- upgrade.php
- resources
- jscripts
- general.js
- forumdisplay.php
- index.php
- misc.php
- showthread.php
* Red represents files that contain security updates
* Green represents new files added in this release
Reporting MyBB security vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page.
Thank you,
MyBB Team
Why don’t you use pre-compressed JS-Files? The Prototype-Library gained about 50% in size and although most servers support and use gzip you always can save a few other bytes by using a pre-crunched version (see google pagespeed for example).
Thanks.
Many thanks guys ๐
Fantastic release devs. =)
The changed files links to the 1.6.2 changed files, not 1.6.3
@Anman – that’s just the name of the ZIP archive. They’re changed files from 1.6.2. They do have the updates for 1.6.3.
@Mike – if there were “official” compressed libraries, then yes we would package them with MyBB. Otherwise, it’s up to you to decide which compression utilities you run. ๐
Thank you, MyBB team
Many thanks for releasing 1.6.3 and fixing the MySQL-injection so fast!
I recommend to everyone to install 1.6.3, it’s very important!
And thank you MyBB for handling these issues and for the credits ๐
Thanks!
I updated my 2 forums without problem!
Thanks for the update – all went well, even with my XThreads ๐
Thanks mybb Group
@leefish Glad to hear that. XThreads is my concern with google seo when a new core update arrives
FYI: Mybb 1.603 Changed files = named “mybb_1602_changed_files.zip”
Itยดs just wrong named, 1.602 changed files were 54kb (1.601>1.602), this new update is 356kb (1.602>1.603)
Thanks mybb Staff
thanks for the update.. ๐
Upgraded smootly without problems. And I have a lot of “critical” mods:
– mybb seo
– Xthreads
– jsnippets
– etc
Thanks guys
thank for the update.
Upgrade from 1.6.2 went nice as usual.
Thanks for the release ๐
Thanks for the update
Thanks for the update for MyBB 1.4