MyBB 1.6.7 – Security, Maintenance and Feature Release
MyBB 1.6.7 is now available from the MyBB website and is a security, maintenance and feature update.
In 1.6.7 there are 5 new feature updates and over 70 reported issues fixed. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.
1.6.7 fixes 5 low-risk security vulnerabilities.
- SQL injection vulnerability within the Admin Control Panel (ACP) in user search (reported by Nathan Malcolm, MyBB SQA Team)
- SQL injection vulnerability within the ACP in Mail Log (reported by Nathan Malcolm, MyBB SQA Team)
- SQL injection vulnerability within the ACP in User Inline Moderation (reported by Jammerx2, MyBB Developer)
- XSS within the ACP where an orphaned attachment has a malformed filename (reported by Nathan Malcolm, MyBB SQA Team)
- Full Path Disclosure if malformed forumread cookie is used
ACP vulnerabilities require Administrator permissions and so considered low-risk. We recommend planning your upgrade as quickly as possible to ensure your forum is as secure as it can be.
New features included in 1.6.7 update include the ability to login with a username, an email or both. For more information about new features, please see the Wiki on 1.6.7.
Upgrading from 1.6.6 and Other Versions
Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, including languages files, please make sure you make a change log for these changes so you can make them again once the upgrade is complete.
To upgrade, follow the Upgrading process. The upgrade script is required. There are also language and theme changes.
If you’re using MyBB 1.6.6
- Download and use the Changed Files Package
If you’re not using MyBB 1.6.6
- Download and use the full 1.6.7 release package
Reporting MyBB security vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.
MyBB Merge System 1.6.7
MyBB Merge System 1.6.7 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.6 series.
This release is to ensure that all users of MyBB Merge 1.6 have the latest fixes.
This release fixes several reported issues since the release of 1.6.3, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.
What’s new in this version?
- 3 bug fixes (view all)
- Version jump to 1.6.7 from 1.6.3 to match the current MyBB Version. From now on we’ll do our best to keep these in sync.
This includes some critical fixes for phpBB that caused infinite loops.
MyBB Mascot Update
We recently held our MyBB Mascot Naming Contest. Many community members proposed names and after a week a poll with the top names was put up. After another week of voting, the name “Bolt”, after MyBB founder Chris Boulton, was chosen. Proposed by Mebes Net, we of the MyBB Team feels this name conveys the strength and speed of MyBB very effectively.
We are proud to present to you the MyBB Mascot, Bolt!
MyBB 1.8 – The Bridge to 2.0
Everyone here at MyBB are proud to announce the impending arrival of our next major feature release – MyBB 1.8.
Over the last 2 months we’ve been developing in secret at our Github lair, plotting to once again attempt to take over the forum world with our evil plans and awesome free software and to celebrate the 10th anniversary of DevBB – our supreme overlord predecessor.
1.8 isn’t as big of an overhaul as 1.2, 1.4 or 1.6 upgrades which introduced more than 100 features; this is more of a facelift. We took Justin, our lead designer, and locked him in a room with nothing but bacon and water until he came up with a new default theme which is taken from one of (if not the) most popular theme collections used by MyBB communities across the world; his Apart series. That’s not all – we developed attachable base colours to themes so that creating (and using) multi-coloured themes no longer involve adding 14 separate styles. You add just one. A new default theme for your Admin Control Panel (ACP) is available too.
For more than half of MyBB’s rule of the forum world, our JavaScript has been powered by Prototype. It was a popular library when we started using it but it has fallen behind a more powerful (and popular) rival and so we’ve consigned it to MyBB history; MyBB 1.8 is powered by jQuery.
Two of the most requested features for MyBB will also be heading to 1.8. With our switch to jQuery, along comes a new post editor (yet to be decided) and a Trash Can – or more the ability to recover deleted posts via the Mod CP.
Along with the regular bug fixes and a host of other planned improvements, such as an APC cache handler, being able to make a cup of hot cocoa, separating the plugin list to active/inactive, making some functions a bit easier to use and projecting your forum’s logo onto the face of the Moon, we’ll be working with MyBB gurus to improve performance, plugin integrations and we’re looking into making the authentication to 3rd party software much easier too with a dedicated login datahandler. It doesn’t have to be just gurus though; we’ll be opening up 1.8 to everyone on Github so that they too can fork, improve, update and become one with the MyBB Team.
We’re all very excited about this release and hope you are too! More information will be coming soon but in the mean time please feel free to suggest more improvements in our Suggestions and Feedback Forum!
Thanks,
MyBB Team
MyBB Blog 
Hallelujah for 1.8.
Is the whole board powered by jQuery (ie including ACP) or just the front end?
Very exciting news – this means that soon I will no longer need to load TWO javascript libraries.
Glad to already see another update to the 1.6 series of MyBB. The upgrade process was easy. I did notice that now you can choose to allow members to log in with either their username or email. I don’t recall that being an option before.
I am excited about 1.8. I do like the Trash Can feature. It can help if you accidentally delete something. I would like to know if we have to make any changes to any plugins we have coded other than change the compatitibility to 18*?
Not sure if just joking for April fools day or telling the truth about 1.8…
Either way, it sounds epic 😀
Is this a joke?
Ha ha, I am not sure about 1.8 release or dev though, could be a prank. 😉
well, I was a bit suspicious – but then, I decided to take the 1.8 at face value. Of course, I shall be EXTREMELY disappointed if I am unable to project an enormous leefish logo onto the face of the moon.
I’m excited to see how 1.8 comes out to be. Good luck with its development 😛
Well, I am pretty sure that the team are joking – but the response to a JQuery powered mybb might make a rethink happen. I hope so.
Hi So Very Very Don’t be tired
thanks thanks
i will waiting for 1.8 so i am so happy for that’s news
thanks thank you for working free and …………………..
April fools joke I assume….
1.6.7 update ? release is still at 1.6.6
@Robin – 1.6.7 has been released.
I’m excited to see how 1.8 comes out to be. Good luck
You shouldn’t release real news with April fools aswell. It’s confusing. Pretty sure 1.8 is a joke, but is Bolt just a joke too then?
Thank you everybody for voting for “Bolt.”
We’ve worked together to bring an appropriate name to the MyBB mascot.
So is 1.8 a troll or is it serious?
Thank, forever mybb team
goods!! i have upgrade
where is the checksums hash values for new version ?
@Kyon – They will be generated ASAP.
Auro could have been a better choice though.
Can’t wait for 1.8, is the in built spam prevention system been released in 1.8 or 2.0?
Also will plugin developers have to rewrite everything?
Also, is this not a April Fools prank (1.8)?
Glad to hear the release of 1.8 and it is powered by Jquery,we wish the team a success.:)
A little emphasis on spam prevention would make it an epic release.
April is over and it still says 1.6.6 release, I’m not upgrading until that changes =]
@Robin Don’t worry, 1.6.7 is 100% legit 🙂
What about 1.8? Is it joke?
So 1.8 is fake? 😦
Probably, as there are not any forums related to 1.8.
I was surprised when you guys said 1.8 will feature so many new features like switching to jQuery. It sounded like MyBB 2.0.
Smells like April Fools.
thanks for the update.. 🙂
awesome
design a tableless theme for default
@Dr.K – The default theme will not be tableless – You’re thinking of 2.0. This theme update is just a facelift not a complete rewrite.
Bad time to announce it if its actually true… everyone will jump to “April Fools”.
@Craig – That was exactly what we were going for. The joke was the timing.
Thanks for the update!
I guess inc/languages/admin/config_settings.lang.php has been changed as well. But it is not mentioned at the changed files.
when 1.8 will released?
@secarab – When it’s ready. We’ve already stated this many times.
It’s not professional to answer like that. When people ask for a release date, they want to get a timeframe, not some dismissing answer like “when it’s ready”.
Although we are not paying you a cent, we all deserve consideration.
Regards.
There is no timeframe. That’s why we state it will be released when it’s ready. We can’t say between x and y if we’re not entirely sure it will be released between x and y.
We’ve always stated it will be released when it’s ready. And it will be.
The biggest reason we’ve used this reply for so many years now is because we don’t have full time staff (developers) that would make giving a due date more feasible.
If even one of our current developers, or even SQA members, were to leave it would have a drastic effect on development time and obviously the release date.
I can understand your concerns and enthusiasm though. 🙂
MyBB staff – Take your time ! 🙂
As for 1.6.7 thnx for the fixes!
@ 42. Take your time? Are you nuts? Tell them to hurry, not take their time!!
#43, quality far precedes the speed at which it is released.
On another note, I would like to applaud you on your work thus far. MyBB has been great for me and I honestly have no problem with the software. It’s perfect for my HTML, CSS, and JavaScript experiments. 🙂
Mascot and new theme looks great. Wouldn’t change a thing. Keep up the great work at MyBB.
Sounds great! Can’t wait for this exclusive release! Thanks to the MyBB team! 😀
Pingback: MyBB 1.8 Tour: Introduction
I like Apart series themes a lot! I installed all of them on my forum. Can’t wait for the “we developed attachable base colours to themes so that creating (and using) multi-coloured themes no longer involve adding 14 separate styles.” 😀
Pingback: MyBB 1.6.7 – Múltiplas Vulnerabilidades | HACKER
Pingback: CVE-2012-2325 (mybb) | Web Security Watch
Pingback: CVE-2012-2324 (mybb) | Web Security Watch
Pingback: CVE-2012-2326 (mybb) | Web Security Watch
Pingback: CVE-2012-2327 (mybb) | Web Security Watch
I’ll wait for it! Thanks!