MyBB 1.8.16 is now available, and is a security & maintenance release.
This update includes compatibility fixes for database engines and recent PHP versions as well as performance and global security improvements. Note that the theme’s CSS files may need to be updated. If you use the login_attempt_check() function, note that its signature has changed.
- 6 security vulnerabilities addressed:
- High risk: Image & URL MyCode Persistent XSS — reported by Punisher_HF
- Medium risk: Multipage Reflected XSS — reported by Dimaz Arno of Ethic Ninja
- Low risk: ACP logs XSS — reported by Cillian Collins
- Low risk: Arbitrary file deletion via ACP’s Settings — reported by Devilshakerz of MyBB Team
- Low risk: Login CSRF — reported by Cillian Collins
- Low risk: Non-video content embedding via Video MyCode — reported by Punisher_HF
- 66 issues resolved
Check Release Notes for a list of changes to language files, templates and unresolved issues.
Issues on Upgrade?
- SQL syntax error during upgrade: overwrite install/resources/upgrade43.php and run the upgrade process again
- “not allowed” reporting problem: overwrite report.php
- “Authorization code mismatch” on login: use the ACP’s Find Updated Templates feature to insert missing my_post_key input fields to login forms (more information)
The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.