MyBB 1.6.11 is now available from the MyBB website and is a security and maintenance release.
Important Security Patches
It was reported to us by Philly that a user was able to register on his forum with three ’emoji’ characters which led to the user becoming “unregistered”. After looking in to this issue we discovered it was more complex than originally thought.
The technical explanation is MySQL’s UTF8 implementation only supports up to 3 bytes per character. When someone tries to insert a string containing a 4 byte utf8 character in to the database, MySQL truncates the string immediately before the 4 byte character. Not only does this affect security, it affects the user’s experience as half their post or private message could be lost without them knowing why.
The vulnerability was exploited by a user registering on a forum with a username consisting of only 4 byte UTF8 characters. As I explained before, MySQL truncates the string before the first occurrence of a 4 byte UTF8 character which led to the username column becoming empty. When someone sent a PM it would be automatically sent to the nameless user and they would be able to read it.
This security issue affects MySQL databases with a utf8_general_ci collation (This may also affect utf8_unicode_ci collations too). If you’re using a SQLite or PostgreSQL database you’re not affected by this.
What’s added/changed in this version?
This release fixes 5 vulnerabilities and over 65 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.
- Vulnerabilities:
- High Risk: Authorization bypass vulnerability within the PM system – reported by Philly
- Medium Risk: Accounts without login keys could be hijacked – reported by StefanT
- Low Risk: Weakness within the generate_post_check() function – reported by Nathan Malcolm
- Low Risk: Anonymous statistics may not always be anonymous – reported by Nathan Malcolm
- Low Risk: Database backups are exposed in logs – reported by Nathan Malcolm
- Fixed issues in 1.6.11
- Unfixed issues
Please view the 1.6.11 changes on the Docs site for more information about the changes in this version.
Upgrading from 1.6.10 and Other Versions
Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.
To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 4 language files. 5 templates have been changed or added.
If you’re using MyBB 1.6.10
- Download and use the Changed Files Package (MD5: e48c948cbdeef2cea756f88874d84ceb)
- Follow the Docs Upgrading Instructions
If you’re using MyBB 1.6.9 or lower
- Download and use the full 1.6.11 Release Package (MD5: 918be9675d3d50c63bfe4c6cbf17fd0f)
- Follow the Docs Upgrading Instructions
Reporting MyBB security vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.
Thanks,
MyBB Team
Thanks.
already updated.
Thanks for this upgrade.
Pingback: MyBB 1.6.11 - Polskie Wsparcie MyBB
Thank you for the update guys 🙂
Thanks for update. It’s actual especially for russian users who use utf8_general_ci encoding.
Thank you MyBB 🙂
using 1.6.10 and try the changedfiles_1611 but there is not 1.6.10 to choose only 1.6.9 to choose upgrade not 1.6.10
Thanks for the update! Glad to see these vulnerabilities patched.
As a side note, the http://docs.mybb.com/1611.html page returns an error.
Thanks mybb for giving/informing new securities… upgraded and happy 🙂
Thanks for the Update.
Updated, lets see if fully secured for now 😀
What the hell? Why do I still see 94% on the roadmap page but 1.6.11 has came out 3 days ago?
The roadmap is not 100% accurate. 😉
Seams like the language loading got modified, the AdminCP now REQUIRES an extra file, it doesn’t load the regular language file anymore if there is no language file in the admin folder.
Thank you, upgrade since releas, but at day i have no problems with this release on my forum, only i have one question to do, but i do it on provate inquiries xD. Because i don’t know what happens if is my explorer or something, because i see a minor error, but only see it on My PC and do not know what happens xD.
Anyway works fine and as other versions i feel happy to use this script xD:
Hi,
it seems like with the latest updates all images are displayed one beneath the other although they are just separated by a comma and should be shown in a line. Can anyone confirm? Possible fix?
Yeah we knnow about this and it will be fixed ASAP
thank you for news update…
Thank you MyBB Team! =)
I hope this goes well. I have never preformed an update before. I will have to do some reading and give it a try once my busy IRL stuff is done.
upgrading done. keep up the good work guys!
upgrading done, thanks and keep up the good work fellas.
thnx’s verry much for news update…
Thanks for the Update.
Thanks for the update Mybb Team.
Thanks for update.
Great, thanks for the update!