MyBB 1.6.11 Released – Security & Maintenance Release

MyBB 1.6.11 is now available from the MyBB website and is a security and maintenance release.

Important Security Patches

It was reported to us by Philly that a user was able to register on his forum with three ‘emoji’ characters which led to the user becoming “unregistered”. After looking in to this issue we discovered it was more complex than originally thought.

The technical explanation is MySQL’s UTF8 implementation only supports up to 3 bytes per character. When someone tries to insert a string containing a 4 byte utf8 character in to the database, MySQL truncates the string immediately before the 4 byte character. Not only does this affect security, it affects the user’s experience as half their post or private message could be lost without them knowing why.

The vulnerability was exploited by a user registering on a forum with a username consisting of only 4 byte UTF8 characters. As I explained before, MySQL truncates the string before the first occurrence of a 4 byte UTF8 character which led to the username column becoming empty. When someone sent a PM it would be automatically sent to the nameless user and they would be able to read it.

This security issue affects MySQL databases with a utf8_general_ci collation (This may also affect utf8_unicode_ci collations too). If you’re using a SQLite or PostgreSQL database you’re not affected by this.

What’s added/changed in this version?

This release fixes 5 vulnerabilities and over 65 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

  • Vulnerabilities:
    • High Risk: Authorization bypass vulnerability within the PM system – reported by Philly
    • Medium Risk: Accounts without login keys could be hijacked – reported by StefanT
    • Low Risk: Weakness within the generate_post_check() function – reported by Nathan Malcolm
    • Low Risk: Anonymous statistics may not always be anonymous – reported by Nathan Malcolm
    • Low Risk: Database backups are exposed in logs – reported by Nathan Malcolm
  • Fixed issues in 1.6.11
  • Unfixed issues

Please view the 1.6.11 changes on the Docs site for more information about the changes in this version.

Upgrading from 1.6.10 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 4 language files. 5 templates have been changed or added.

If you’re using MyBB 1.6.10

If you’re using MyBB 1.6.9 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

27 thoughts on “MyBB 1.6.11 Released – Security & Maintenance Release

  1. Pingback: MyBB 1.6.11 - Polskie Wsparcie MyBB

  2. Thank you, upgrade since releas, but at day i have no problems with this release on my forum, only i have one question to do, but i do it on provate inquiries xD. Because i don’t know what happens if is my explorer or something, because i see a minor error, but only see it on My PC and do not know what happens xD.

    Anyway works fine and as other versions i feel happy to use this script xD:

  3. Hi,
    it seems like with the latest updates all images are displayed one beneath the other although they are just separated by a comma and should be shown in a line. Can anyone confirm? Possible fix?

  4. I hope this goes well. I have never preformed an update before. I will have to do some reading and give it a try once my busy IRL stuff is done.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s