MyBB 1.8.5 – Security & Maintenance Release
MyBB 1.8.5 is now available from the MyBB website, and is a security and maintenance release.
What’s added/changed in this version?
This release fixes 6 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.
- Vulnerabilities:
- Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh
- Medium Risk: Sender email could be spoofed when sending an email to a user in member.php – reported by onlinedevelopers
- Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655
- Medium Risk: XSS in quick edit function of xmlhttp.php – reported by TiberiusG
- Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666
- Low Risk: Use of the U+200E Unicode character to create “duplicate” username – reported by mahdy2021
- Bugs fixed:
Please view the 1.8.5 changes on the Docs site for more information about the changes in this version.
Please note, that you do need to run the upgrade script for this version.
Upgrading from 1.8.4 and Other Versions
Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.
To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 12 language files and 9 templates were changed or added.
If you’re using MyBB 1.8.4:
- Download and use the Changed Files Package (MD5: 47e930b70f94991ad3f4435a93bc5c28)
- Follow the Docs Upgrading Instructions
If you’re using MyBB 1.8.3 or lower:
- Download and use the full 1.8.5 Release Package (MD5: 80a24a9a434e0c70e2a21e3b1744378f)
- Follow the Docs Upgrading Instructions
Reporting MyBB security vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.
MyBB 1.6.17 – Security Release
MyBB 1.6.17 is now available from the MyBB website. It fixes 2 medium risk and 5 low risk vulnerabilities.
Please note that MyBB 1.6 is approaching its end of life and no support will be provided after 1st of September 2015 (see the EOL announcement).
What’s added/changed in this version?
The vulnerabilities are:
- Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh
- Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655
- Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666
- Low Risk: Use of the U+200E Unicode character to create “duplicate” username – reported by mahdy2021
- Low Risk: Multiple XSS vulnerability requiring admin permissions – reported by adamziaja, Devilshakerz, DingjieYang and sroesemann
- Low Risk: A CSRF vulnerability within ACP login – reported by Devilshakerz
- Low Risk: Cache handler using var_export without encoding checks – reported by chtg
Please view the 1.6.17 changes on the Docs site for more information about the changes in this version.
Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.
Upgrading from 1.6.16 and Other Versions
Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.
To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.
If you’re using MyBB 1.6.16:
- Download and use the Changed Files Package (MD5: 7dcd16daa063020b9773b78901a54f32)
- Follow the Docs Upgrading Instructions
If you’re using MyBB 1.6.15 or lower
- Download and use the full 1.6.17 Release Package (MD5: b9dd9e8cd9c6390626f850bb83cb03cb)
- Follow the Docs Upgrading Instructions
MyBB Merge System 1.8.5
MyBB Merge System 1.8.5 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.
This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.
This release fixes several reported issues since the release of 1.8.4, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.
What’s new in this version?
- 26 bug fixes (View all)
- Including several changes to the private message modules, forum permissions, the usergroup module and attachments
- Support for phpBB 3.1
- Support for IPB 4
Note about the loginconvert Plugin
The official loginconvert plugin was also updated to version 1.4.1, including fixes for password resets and special passwords. If you’ve run a merge in the past please update your plugin. Also the plugin was added to our mods site.
Thanks,
MyBB Team
MyBB Blog 
Hi, please edit the link to this
Download and use the full 1.8.5 Release Package (MD5: 80a24a9a434e0c70e2a21e3b1744378f)
It is showing 404 Not Found Error. I think you got the url wrong.
Thanks.
Hi,
The link appears to work for me? http://resources.mybb.com/downloads/mybb_1805.zip
As it seems to for me.