MyBB 1.6.6 Security Release

MyBB 1.6.6 is now available from the MyBB website and is a security release for the 1.6 series.

What’s added/changed in this version?

In 1.6.6, 1 major issue and 14 low risk vulnerabilities have been fixed. Only the issues listed below are fixed; a further maintenance release will be available with general fixes to functionality in the near future.

  • Vulnerabilities:
    • Non Critical: Import a non-CSS stylesheet (Theme)
    • Low Risk: CSRF vulnerability on Admin CP logout (Issue #1769)
    • Low Risk: CSRF vulnerability when clearing a stored password (Issue #1824)
    • Low Risk: CSRF vulnerability when removing a buddy (Issue #1825)
    • Low Risk: CSRF vulnerability with Admin CP join requests (Issue #1834)
    • Low Risk: CSRF vulnerability in Group Promotions Enable/Disable
    • Low Risk: CSRF vulnerability in ACP Edit User (Avatar)
    • Low Risk: CSRF vulnerability with activating a user
    • Low Risk: XSS vulnerability when moving an event (Calendar)
    • Low Risk: XSS vulnerabilities in Akismet plugin
    • Low Risk: XSS vulnerabilities in Forum Subscriptions (User CP)
    • Low Risk: XSS vulnerability in Moderator Logs
    • Low Risk: XSS vulnerability in Edit Post
    • Low Risk: XSS vulnerability when editing Announcements

    Thanks to SQA Team Member Nathan Malcolm for finding all of these!

  • Vanishing Announcements in 1.6.5 (Issue #1781, #1785) – with thanks to Paul H and Vini Holden.

For more information on these vulnerabilities, please view the 1.6.6 Changes in the Wiki.

Upgrading from 1.6.5 and Other Versions

Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 1 language file. There is 1 change to themes. Please view the 1.6.6 Changes in the Wiki for more information about these changes.

If you’re using MyBB 1.6.5

If you’re not using MyBB 1.6.5

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thank you,
MyBB Team

13 thoughts on “MyBB 1.6.6 Security Release

Comments are closed.