MyBB 1.8.24 Released — Security Release

MyBB 1.8.24 is now available, and is a security release.

After running the upgrade, make sure to update the version attribute in the codebuttons template for non-default themes.

  • 1 security vulnerability addressed:

    • High risk: MyCode message formatting XSS in visual editor (advisory) — reported by Murphy

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.23 Released — Security & Maintenance Release

MyBB 1.8.23 is now available, and is a security & maintenance release.

This release includes added support for hCaptcha, reCAPTCHA v3, APCu, Redis, improvements related to ACP’s Thread Prefixes management, UTF-8 search, performance, and updates jQuery to 3.5.1.

Themes: content of global.css stylesheet may need updating (#3977).

Extension developers: always use verify_post_check() for my_post_key token verification (#4022); positions of some hooks were changed (#3648); the banned datacache was removed (#3878).

  • 1 security vulnerability addressed:

    • Medium risk: Anti-CSRF token disclosure in online status location — reported by Mipher
  • 101 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

A Close Look at 100+ Patched Vulnerabilities

With the release of MyBB 1.8.22, over one hundred vulnerabilities have been addressed in the 1.8 branch. In this post we look into what the numbers can tell us so far, and how the trends are expected to change in the future.

Since the announcement of the first stable package in 2005, over 270 security flaws were fixed in the 87 versions starting with MyBB 1.0 (some of which overlapped when two supported branches received security updates simultaneously), making 88% of all releases related to security fixes. Additional information tracked within the 1.8.x branch surfaces the most common means of reporting, types, and practical impact of 103 vulnerabilities that have been addressed five years in.

Continue reading

MyBB 1.8.22 Released — Security & Maintenance Release

MyBB 1.8.22 is now available, and is a security & maintenance release.

Note: this version removes the discontinued Yahoo profile field, which may have been customized for other purposes.

  • 5 security vulnerabilities addressed:

    • High risk: Installer RCE on settings file write — reported by yelang123 of Stealien
    • Medium risk: Arbitrary upload paths & Local File Inclusion RCE — reported by CNCERT
    • Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data — reported by Devilshakerz of MyBB Team
    • Low risk: Open redirect on login — reported by Jyoti Raval of Qualys
    • Low risk: SCEditor reflected XSS — reported by Cillian Collins, bl4ckh4ck5
  • 36 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.21 Released — Security & Maintenance Release

MyBB 1.8.21 is now available, and is a security & maintenance release.

This version includes updated jQuery and SCeditor, JSON Syndication format, improved PostgreSQL support, improved PHP >= 7.1 compatibility, improved search function reliability. See information on SCEditor-related theme updates.

  • 6 security vulnerabilities addressed:

    • High risk: Theme import stylesheet name RCE — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
    • High risk: Nested video MyCode persistent XSS — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
    • Medium risk: Find Orphaned Attachments reflected XSS — reported by Simon Scannell of RIPS Technologies
    • Medium risk: Post edit reflected XSS — reported by adm1nkyj of ENKI
    • Medium risk: Private Messaging folders SQL injection — reported by Alex of DiscoveryGC
    • Low risk: Potential phar deserialization through Upload Path — reported by Simon Scannell of RIPS Technologies
  • 39 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.20 Released — Security & Maintenance Release

MyBB 1.8.20 is now available, and is a security & maintenance release.

This release includes allowing users to see their unapproved content and view user referrals; compatibility with PHP >= 7.2 has been improved and jQuery has been upgraded to 3.0.0, which might affect custom JavaScript code in plugins and themes.

  • 5 security vulnerabilities addressed:

    • Medium risk: Reset Password reflected XSS
    • Medium risk: ModCP Profile Editor username reflected XSS — reported by Jovan Zivanovic of MaTRIS Research Group, SBA Research
    • Low risk: Predictable CSRF token for guest users — reported by Devilshakerz of MyBB Team
    • Low risk: ACP Stylesheet Properties XSS — reported by Cillian Collins
    • Low risk: Reset Password username enumeration via email — reported by Abdullah Md. Shaleh
  • 42 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.19 Released — Security & Maintenance Release

MyBB 1.8.19 is now available, and is a security & maintenance release.

This update includes improved compatibility with PostgreSQL and resolves regressions from previous versions. Administrators may need to update CSS code in global.css for customized themes.

  • 4 security vulnerabilities addressed:

    • High risk: Email field SQL Injection — reported by StefanT
    • Medium risk: Video MyCode Persistent XSS in Visual Editor — reported by Numan OZDEMIR of InfinitumIT
    • Low risk: Insufficient permission check in User CP’s attachment management — reported by StefanT
    • Low risk: Insufficient email address verification — reported by StefanT
  • 8 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.18 Released — Security & Maintenance Release

MyBB 1.8.18 is now available, and is a security & maintenance release.

Changes include added support for Mixer videos and multi-file attachments, modified Word Filter behavior, fixes to the mailing queue and improved compatibility with SQLite and MySQL 8. Theme CSS changes may be required and administrators may need to review Word Filters.

  • 2 security vulnerabilities addressed:

    • High risk: Image MyCode “alt” attribute persistent XSS — reported by Punisher_HF
    • Medium risk: RSS Atom 1.0 item title persistent XSS — reported by 0xB9
  • 30 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.16 Released — Security & Maintenance Release

MyBB 1.8.16 is now available, and is a security & maintenance release.

This update includes compatibility fixes for database engines and recent PHP versions as well as performance and global security improvements. Note that the theme’s CSS files may need to be updated. If you use the login_attempt_check() function, note that its signature has changed.

 

  • 6 security vulnerabilities addressed:
    • High risk: Image & URL MyCode Persistent XSS — reported by Punisher_HF
    • Medium risk: Multipage Reflected XSS — reported by Dimaz Arno of Ethic Ninja
    • Low risk: ACP logs XSS — reported by Cillian Collins
    • Low risk: Arbitrary file deletion via ACP’s Settings — reported by Devilshakerz of MyBB Team
    • Low risk: Login CSRF — reported by Cillian Collins
    • Low risk: Non-video content embedding via Video MyCode — reported by Punisher_HF
  • 66 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

 

Issues on Upgrade?

 

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.15 Released — Security & Maintenance Release

MyBB 1.8.15 is now available, and is a security & maintenance release.

This update includes compatibility improvements for PostgreSQL and recent PHP versions as well as minor optimizations.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team