MyBB 1.6.6 Security Release

MyBB 1.6.6 is now available from the MyBB website and is a security release for the 1.6 series.

What’s added/changed in this version?

In 1.6.6, 1 major issue and 14 low risk vulnerabilities have been fixed. Only the issues listed below are fixed; a further maintenance release will be available with general fixes to functionality in the near future.

  • Vulnerabilities:
    • Non Critical: Import a non-CSS stylesheet (Theme)
    • Low Risk: CSRF vulnerability on Admin CP logout (Issue #1769)
    • Low Risk: CSRF vulnerability when clearing a stored password (Issue #1824)
    • Low Risk: CSRF vulnerability when removing a buddy (Issue #1825)
    • Low Risk: CSRF vulnerability with Admin CP join requests (Issue #1834)
    • Low Risk: CSRF vulnerability in Group Promotions Enable/Disable
    • Low Risk: CSRF vulnerability in ACP Edit User (Avatar)
    • Low Risk: CSRF vulnerability with activating a user
    • Low Risk: XSS vulnerability when moving an event (Calendar)
    • Low Risk: XSS vulnerabilities in Akismet plugin
    • Low Risk: XSS vulnerabilities in Forum Subscriptions (User CP)
    • Low Risk: XSS vulnerability in Moderator Logs
    • Low Risk: XSS vulnerability in Edit Post
    • Low Risk: XSS vulnerability when editing Announcements

    Thanks to SQA Team Member Nathan Malcolm for finding all of these!

  • Vanishing Announcements in 1.6.5 (Issue #1781, #1785) – with thanks to Paul H and Vini Holden.

For more information on these vulnerabilities, please view the 1.6.6 Changes in the Wiki.

Upgrading from 1.6.5 and Other Versions

Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 1 language file. There is 1 change to themes. Please view the 1.6.6 Changes in the Wiki for more information about these changes.

If you’re using MyBB 1.6.5

If you’re not using MyBB 1.6.5

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thank you,
MyBB Team

13 thoughts on “MyBB 1.6.6 Security Release

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s