MyBB 1.8.8 is now available from the MyBB website, and is a security and maintenance release.
What’s added/changed in this version?
This release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.
- Medium risk: Style import CSS overwrite on Windows servers – reported by patryk
- Medium risk: SQL Injection in the users data handler – reported by afinepl
- Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski
- Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam
- Low risk: Stored XSS in the ACP – reported by patryk
- Low risk: Loose comparison false positives – reported by Devilshakerz
- Low risk: Possible XSS injection in ACP users module – reported by afinepl
- Bugs fixed:
Please view the 1.8.8 changes on the Docs site for more information about the changes in this version.
Please note, that you do need to run the upgrade script for this version.
Upgrading from 1.8.7 and Other Versions
Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.
To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 23 language files and 64 templates were changed or added.
If you’re using MyBB 1.8.7:
- Download and use the Changed Files Package
- Follow the Docs Upgrading Instructions
If you’re using MyBB 1.8.6 or lower:
- Download and use the full 1.8.8 Release Package
- Follow the Docs Upgrading Instructions
This update includes security fixes that may need your attention:
- Additional rules disallowing access to the database backups directory (
admin/backups/) were added to
htaccess-nginx.txt, addressing a security issue affecting Windows installations – remember to update your configuration files.
$config['disallowed_remote_addresses']variables, containing default loopback hosts and IPv4 addresses, were added to the
inc/config.phpfile, addressing a SSRF vulnerability – remember to update your configuration files and, if applicable, add further hosts and/or addresses that MyBB shouldn’t attempt to access.
Reporting MyBB security vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.
MyBB Merge System 1.8.8
MyBB Merge System 1.8.8 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.
This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.
This release fixes several reported issues since the release of 1.8.7, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.
What’s new in this version?
- 5 bug fixes (View all)
- Preliminary support for merges from vBulletin 5 installations. This module hasn’t had a lot of testing, so please report back with how vBulletin 5 merges go and always test your merge on a local machine first.
This will be the last release of the Merge System 1.8. We’re instead concentrating development efforts on MyBB 2.0 and a brand new Merge System to accompany it – please stay tuned for more news on the new merge system!
Thank You for the News. Update the Forums… in coming…
inc/config.php wasn’t updated with new variables. Also I don’t see any documentation on them.
If I remember correctly, the system will act as it previously did if the config variables aren’t present so we chose to omit adding them in order to not cause unexpected changes to behaviour.
Documentation is incoming ASAP but we didn’t want to block the release any further.
Updated the post with a link to a new Docs section on those: https://docs.mybb.com/1.8/administration/security/protection/#configure-access-to-private-hosts-and-ip-addresses
An example config would be nice. To do a test install just to see the lines as-is seems time consuming. Also how about an /inc/config.example.php file because /inc/config.default.php is an empty file. Sometimes people mistakenly blank out their config file and an example would go a long way to fix that.It could also contain documentation for the parameters.