MyBB 1.8.9 Released – Security & Maintenance Release

MyBB 1.8.9 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz

Please view the 1.8.9 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.8 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files and 85 templates were changed or added.

If you’re using MyBB 1.8.8:

  • Download and use the Changed Files Package
    • MD5: cd4f736ef9c3b20136203350468ad23d
    • SHA1: 3208c50d35aacc9d51d195de8ccc33aed1e3b1c6
    • SHA256: c153236148457ae1ea2a62b8c7c15a11a093ab436ae6ea416c8cf9ca2bf53687
    • SHA512: 1e16aeae125a1e2edf966866d53c51ce9b5d7568214c6244efc4976d4af16186e3f9f10f8eafbd5f5de3210a1fada6635fea7c97bb09afe3d1c9bf3e368bfa3d
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.7 or lower:

  • Download and use the full 1.8.9 Release Package
    • MD5: b1a8fbdb4d8a888f7757be14cd658662
    • SHA1: d30f95de2e2142a46e4a34e0d26a8d3f5762cb22
    • SHA256: cc4a015edb96b587a74b3d54c00bf2ecd4be6ff2efec8b24caae90c538b42e89
    • SHA512: b18ffd2797f2f6fc775fda7b47c6d4b63d36f0e8c57ee1ce6797de8e600f741df2cc1bce713723b12d2374e723289641ab3a10248f5ba53672f5765bed836056
  • Follow the Docs Upgrading Instructions

To update existing themes the following CSS code needs to be added to global.css:

.deleted_post_hidden {
	border-top: 2px solid #ccc;
	padding: 15px;
}

.deleted_post_collapsed {
	border-top: 3px solid #333;
	padding: 15px;
}

.deleted_post_collapsed .show_deleted_post {
	margin-top: -15px;
}

.deleted_post_collapsed .show_deleted_post a.button span {
	background-position: 0 -400px;
}

Note: JavaScript-related bugs discovered
We have found that some JavaScript-based functions (like the inline moderation) may not work properly under MyBB 1.8.9. Please refer to the Community thread for detailed instructions on how to patch the code while we prepare a fixed package.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.8.8 & Merge System 1.8.8 Release

MyBB 1.8.8 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Style import CSS overwrite on Windows servers – reported by patryk
    • Medium risk: SQL Injection in the users data handler – reported by afinepl
    • Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski
    • Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam
    • Low risk: Stored XSS in the ACP – reported by patryk
    • Low risk: Loose comparison false positives – reported by Devilshakerz
    • Low risk: Possible XSS injection in ACP users module – reported by afinepl

Please view the 1.8.8 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.7 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 23 language files and 64 templates were changed or added.

If you’re using MyBB 1.8.7:

  • Download and use the Changed Files Package
    • MD5: 43028accb46eecf8016ef5fdc4fe522a
    • SHA1: 2c9985353e87c8710bdcdcf1856b0a6c63961317
    • SHA256: bb479145b44f169c301c21425f78742d8cacd9fd9ef4543c2a5e39ab540f769e
    • SHA512: 47ddbd601d008e9cb7309b328d36df95f901d1935593ded61e70cef22dc1312257266e056e5ea9d214babfd47a0aeb9560e9d11a5abb8d68a244f442467c41854a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.6 or lower:

  • Download and use the full 1.8.8 Release Package
    • MD5: 2e09c9fd3b2416ac3fea9bada18d61e5
    • SHA1: 2b8469cb42c3a66ec7e3253aa0cced464585d3dd
    • SHA256: e63bd3ce5b8a7c4166102baa75f0aab1d12fc64379658a027d8bf49a437a469a
    • SHA512: 8dec5923737b11deae578ed02f259acda01ca5bcc9032bc01df1e2d77ce36c54f87e66e42850460c8ea07515d99d4b5da4a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

This update includes security fixes that may need your attention:

  • Additional rules disallowing access to the database backups directory (admin/backups/) were added to htaccess.txt and htaccess-nginx.txt, addressing a security issue affecting Windows installations – remember to update your configuration files.
  • $config['disallowed_remote_hosts'] and $config['disallowed_remote_addresses'] variables, containing default loopback hosts and IPv4 addresses, were added to the inc/config.php file, addressing a SSRF vulnerability – remember to update your configuration files and, if applicable, add further hosts and/or addresses that MyBB shouldn’t attempt to access.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.8

MyBB Merge System 1.8.8 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.7, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 5 bug fixes (View all)
  • Preliminary support for merges from vBulletin 5 installations. This module hasn’t had a lot of testing, so please report back with how vBulletin 5 merges go and always test your merge on a local machine first.

Important note

This will be the last release of the Merge System 1.8. We’re instead concentrating development efforts on MyBB 2.0 and a brand new Merge System to accompany it – please stay tuned for more news on the new merge system!

Thanks,

MyBB Team

MyBB 1.8.7 & Merge System 1.8.7 Release

MyBB 1.8.7 – Security & Maintenance Release

MyBB 1.8.7 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 13 security vulnerabilities and 83 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Possible SQL Injection in moderation tool – reported by jamslater
    • Low risk: Missing permission check in newreply.php – reported by StefanT
    • Low risk: Possible XSS Injection on login – reported by Devilshakerz
    • Low risk: Possible XSS Injection in member validation – reported by Tim Coen
    • Low risk: Possible XSS Injection in User CP – reported by Tim Coen
    • Low risk: Possible XSS Injection in Mod CP logs – reported by Starpaul20
    • Low risk: Possible XSS Injection when editing users in Mod CP – reported by Tim Coen
    • Low risk: Possible XSS Injection when pruning logs in ACP – reported by Devilshakerz
    • Low risk: Possibility of retrieving database details through templates – reported by Tim Coen
    • Low risk: Disclosure of ACP path when sending mails from ACP – reported by sarisisop
    • Low risk: Low adminsid & sid entropy – reported by Devilshakerz
    • Low risk: Clickjacking in ACP – reported by DingjieYang
    • Low risk: Missing directory listing protection in upload directories – reported by Tim Coen

Please view the 1.8.7 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.6 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 15 language files and 41 templates were changed or added.

If you’re using MyBB 1.8.6:

If you’re using MyBB 1.8.5 or lower:

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.7

MyBB Merge System 1.8.7 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.6, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

Thanks,

MyBB Team

Note about updated packages

The original packages have been replaced by updated packages to fix minor compatibility issues with PHP 5.2 and PostgreSQL and to fix issues with font MyCode and search functionality.

If you installed or updated your forums using either the full or changed files packages prior to 19:00 p.m. on March 25, 2016 GMT please download a fresh package from the links above and replace the following files:

  • inc/cachehandlers/apc.php
  • inc/cachehandlers/eaccelerator.php
  • inc/cachehandlers/interface.php
  • inc/cachehandlers/memcache.php
  • inc/cachehandlers/memcached.php
  • inc/cachehandlers/xcache.php
  • inc/class_parser.php
  • install/resources/upgrade35.php
  • search.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB 1.8.6, 1.6.18 & Merge System 1.8.6 Release

MyBB 1.8.6 – Security & Maintenance Release

MyBB 1.8.6 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 5 security vulnerabilities and 51 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium Risk: Forum password bypass in xmlhttp.php – reported by Devilshakerz
    • Low Risk: SQL Injection in Grouppromotions module (ACP) – reported by Devilshakerz
    • Low Risk: Possible XSS Injection in the error handler – reported by FooBar123
    • Low Risk: Possible XSS issues in old upgrade files – reported by FooBar123
    • Low Risk: Possible Full Path Disclosure in publicly accessible error log files – reported by Devilshakerz

Please view the 1.8.6 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.5 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 7 language files and 19 templates were changed or added.

If you’re using MyBB 1.8.5:

If you’re using MyBB 1.8.4 or lower:

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB 1.6.18 – Security Release

MyBB 1.6.18 is now available from the MyBB website. It fixes 1 medium risk and 3 low risk vulnerabilities.

Please note that we’ve extended support period for MyBB 1.6 to give you additional time for upgrading your forum until 1st of October 2015. After that time no support will be provided for MyBB 1.6.

What’s added/changed in this version?

The vulnerabilities are:

Please view the 1.6.18 changes on the Docs site for more information about the changes in this version.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.17 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.6.17:

If you’re using MyBB 1.6.16 or lower

  • Download and use the full 1.6.18 Release Package (MD5: ad17b498116831a1d1d75bf07351ea0c)
  • Follow the Docs Upgrading Instructions

MyBB Merge System 1.8.6

MyBB Merge System 1.8.6 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.5, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 11 bug fixes (View all)
    • New module: Avatars are now finally merged!
    • Counters are finally updated automatically – no need to run them manually after the merge
    • Multiple changes to make the merge system more intuitive

Thanks,

MyBB Team

MyBB 1.8.5, 1.6.17 & Merge System 1.8.5 Release

MyBB 1.8.5 – Security & Maintenance Release

MyBB 1.8.5 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 6 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh
    • Medium Risk: Sender email could be spoofed when sending an email to a user in member.php – reported by onlinedevelopers
    • Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655
    • Medium Risk: XSS in quick edit function of xmlhttp.php – reported by TiberiusG
    • Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666
    • Low Risk: Use of the U+200E Unicode character to create “duplicate” username – reported by mahdy2021

Please view the 1.8.5 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.4 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 12 language files and 9 templates were changed or added.

If you’re using MyBB 1.8.4:

If you’re using MyBB 1.8.3 or lower:

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB 1.6.17 – Security Release

MyBB 1.6.17 is now available from the MyBB website. It fixes 2 medium risk and 5 low risk vulnerabilities.

Please note that MyBB 1.6 is approaching its end of life and no support will be provided after 1st of September 2015 (see the EOL announcement).

What’s added/changed in this version?

The vulnerabilities are:

  • Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh
  • Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655
  • Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666
  • Low Risk: Use of the U+200E Unicode character to create “duplicate” username – reported by mahdy2021
  • Low Risk: Multiple XSS vulnerability requiring admin permissions – reported by adamziaja, Devilshakerz, DingjieYang and sroesemann
  • Low Risk: A CSRF vulnerability within ACP login – reported by Devilshakerz
  • Low Risk: Cache handler using var_export without encoding checks – reported by chtg

Please view the 1.6.17 changes on the Docs site for more information about the changes in this version.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.16 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.6.16:

If you’re using MyBB 1.6.15 or lower

  • Download and use the full 1.6.17 Release Package (MD5: b9dd9e8cd9c6390626f850bb83cb03cb)
  • Follow the Docs Upgrading Instructions

MyBB Merge System 1.8.5

MyBB Merge System 1.8.5 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.4, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 26 bug fixes (View all)
    • Including several changes to the private message modules, forum permissions, the usergroup module and attachments
    • Support for phpBB 3.1
    • Support for IPB 4

Note about the loginconvert Plugin

The official loginconvert plugin was also updated to version 1.4.1, including fixes for password resets and special passwords. If you’ve run a merge in the past please update your plugin. Also the plugin was added to our mods site.

Thanks,

MyBB Team

MyBB 1.8.4 Released – Feature Update, Security & Maintenance Release

MyBB 1.8.4 – Feature Update, Security & Maintenance Release

MyBB 1.8.4 is now available from the MyBB website and is a feature update, security and maintenance release.

What’s added/changed in this version?

This release fixes 7 vulnerabilities and 118 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

Please view the 1.8.4 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.3 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files. 54 templates have been changed or added.

If you’re using MyBB 1.8.2 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated package for 1.8.4

Due to a minor issue with the original packages an updated package set has been released.

If you installed or updated your forums using either the full or changed files packages prior to 10:00 a.m. on February 16, 2015 GMT please download a fresh package from the links above and replace the following file:

moderation.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

Merge System 1.8.4

MyBB Merge System 1.8.4 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release fixes a compatibility issue with MyBB 1.8.4.

Attack against the community forums prior to 1.8.3 release

The recent 1.8.3 release fixes a high risk SQL injection vulnerability, it is critically important that users upgrade as soon as possible to ensure their systems are safe.

Unfortunately, we wish to inform users that this vulnerability was used against the community forums in the days before it was discovered and patched by our team. The attack was successful in accessing our database, however our logs indicate that only a very small portion of the database was obtained. While we know the size of what was downloaded, we have no way of knowing what data it contained and therefore we cannot rule out that the attacker downloaded a small portion of the users table. The attacker also had access to the ACP for a short period.

In light of this we recommend all community forum users take appropriate precautions on the assumption that their account was accessed. This includes changing your password and monitoring your account for any suspicious activity.

Our understanding is that the attacker used the SQL injection to reset Chris’ community forum password by retrieving the confirmation code, then discover the ACP directory name by searching PMs sent between team members. They were then able to edit the log settings in the ACP to write to a publicly accessible location and create a back-door script on the file-system. Upon discovering the attack we immediately took steps to prevent further access, and we are now confident that the system is secure having searched for any additional back-doors. We have also changed our ACP directory, adopted the new ACP PIN functionality added in 1.8, and used an isolated communication channel to distribute these new details to team members.

We’d like to reiterate that users running the latest version of MyBB are already secured against the vulnerabilities used to gain access to the ACP, and we’ll be using information learned from this attack to further improve security within the ACP in future releases.

Regards,

The MyBB Team.

MyBB 1.8.3 & 1.6.16 Released – Security Releases

MyBB 1.8.3

MyBB 1.8.3 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 3 low risk vulnerabilities. We recommend everyone upgrades to this release immediately.

What’s added/changed in this version?

The vulnerabilities are:

  • High Risk: A SQL injection vulnerability in theme selection (reported by StefanT)
  • Medium Risk: A XSS vulnerability in calender.php (reported by -Acid)
  • Medium Risk: A XSS vulnerability in MyCode editor (reported by My-BB.Ir)
  • Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
  • Low Risk: unserialize may call PHP magic methods (reported by chtg)
  • Low Risk: PHP setting request_order can break register globals handling (reported by chtg)

Additionally we’ve fixed an issue with the video MyCode introduced with MyBB 1.8.2 (#1625) and revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622). We also plan to add enhanced options to protect the Admin CP like two factor authentication with one of the next maintenance releases.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.8.2 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.8.1 or lower

  • Download and use the full 1.8.3 Release Package (MD5: 1f5d1246da4174f3b29799eca435d86c)
  • Follow the Docs Upgrading Instructions

MyBB 1.6.16

MyBB 1.6.16 is now available from the MyBB website. It fixes 5 low risk vulnerabilities.

What’s added/changed in this version?

The vulnerabilities are:

  • Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
  • Low Risk: A XSS vulnerability in admin/modules/style/templates.php
  • Low Risk: A XSS vulnerability in admin/modules/config/languages.php
  • Low Risk: unserialize may call magic methods (reported by chtg)
  • Low Risk: request_order can break register globals handling (reported by chtg)

Additionally we’ve revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622).

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.15 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.6.14 or lower

  • Download and use the full 1.6.16 Release Package (MD5: 98e84e5de337843f407a4b58d70253c9)
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated package for 1.6.16

Due to a minor issue with the original packages an updated package set has been released.

If you installed or updated your forums using either the full or changed files packages prior to 18:00 p.m. on November 20, 2014 GMT please download a fresh package from the links above and replace the following file:

admin/modules/home/version_check.php
calendar.php (reverted to previous version)

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

[UPDATED – IMPORTANT] GitHub Account Compromised

UPDATE: Updated the page in which you should check for suspicious activity. It should be the Admin Logs page, not the Database Backups. You should also rebuild the cache (if you’re on 1.8) for ‘update_check’.

 

Hello,

Yesterday, 14th of November, my (Pirata Nervo) GitHub account was compromised. By taking advantage of that, the attacker made a commit to our GH pages, more specifically one which is retrieved by the MyBB software in order to process version checks. Unfortunately, the attack allowed the attacker to setup Database backups of any MyBB forum, without exception, via JavaScript.

In order for you to know if you were attacked, you must have accessed the Admin CP of your forum from 14th November 23:00 GMT to 15th November 15:30 GMT. If you accessed your AdminCP during this timespan, it is likely that you were attacked. Note that if you’re on 1.8, the version check task may have been executed during this period, which may still allow the attack if you login after this period.

To be sure about it, please log on to your AdminCP now and check your Database Backup Logs from ACP -> Tools & Maintenance -> Administrator Logs. If there is at least one log for a database backup made between that time span mentioned above, you were affected. We strongly recommend you to alert your users about it so they can change their passwords.

 

What you have to do: (in case you were attacked)

  • Alert your users to change password.
  • Change your password.
  • Clear your cookies.
  • ACP -> Tools & Maintenance -> Cache Manager -> Rebuild Cache for ‘update_check’.

 

I’ve already enabled 2 Factor Authentication on my GitHub account and changed my password. I deeply apologize for this event for it was never my intention to cause any harm to anyone but it should be my responsibility to keep my account as secure as possible.

 

My apologies,

Pirata Nervo

MyBB 1.8.2 Released – Security Release

MyBB 1.8.2 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 2 low risk vulnerabilities. We recommend everyone upgrades to this release immediately.
MyBB 1.6.15 is not affected by these vulnerabilities.

What’s added/changed in this version?

The vulnerabilities are:

  • High Risk: A SQL injection vulnerability in member.php
  • Medium Risk: A XSS vulnerability in report.php
  • Medium Risk: A XSS vulnerability in inc/class_parser.php
  • Low Risk: A XSS vulnerability in admin/modules/style/templates.php
  • Low Risk: A XSS vulnerability in admin/modules/config/languages.php

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.8.1 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.8.0 or lower

  • Download and use the full 1.8.2 Release Package (MD5: 4f6e49b7a457b72dbe8fb47ae5ded430)
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team