Category Archives: Security

MyBB 1.8.19 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.19 is now available, and is a security & maintenance release.

This update includes improved compatibility with PostgreSQL and resolves regressions from previous versions. Administrators may need to update CSS code in global.css for customized themes.

  • 4 security vulnerabilities addressed:

    • High risk: Email field SQL Injection — reported by StefanT
    • Medium risk: Video MyCode Persistent XSS in Visual Editor — reported by Numan OZDEMIR of InfinitumIT
    • Low risk: Insufficient permission check in User CP’s attachment management — reported by StefanT
    • Low risk: Insufficient email address verification — reported by StefanT
  • 8 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.18 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.18 is now available, and is a security & maintenance release.

Changes include added support for Mixer videos and multi-file attachments, modified Word Filter behavior, fixes to the mailing queue and improved compatibility with SQLite and MySQL 8. Theme CSS changes may be required and administrators may need to review Word Filters.

  • 2 security vulnerabilities addressed:

    • High risk: Image MyCode “alt” attribute persistent XSS — reported by Punisher_HF
    • Medium risk: RSS Atom 1.0 item title persistent XSS — reported by 0xB9
  • 30 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.16 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.16 is now available, and is a security & maintenance release.

This update includes compatibility fixes for database engines and recent PHP versions as well as performance and global security improvements. Note that the theme’s CSS files may need to be updated. If you use the login_attempt_check() function, note that its signature has changed.

 

  • 6 security vulnerabilities addressed:
    • High risk: Image & URL MyCode Persistent XSS — reported by Punisher_HF
    • Medium risk: Multipage Reflected XSS — reported by Dimaz Arno of Ethic Ninja
    • Low risk: ACP logs XSS — reported by Cillian Collins
    • Low risk: Arbitrary file deletion via ACP’s Settings — reported by Devilshakerz of MyBB Team
    • Low risk: Login CSRF — reported by Cillian Collins
    • Low risk: Non-video content embedding via Video MyCode — reported by Punisher_HF
  • 66 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

 

Issues on Upgrade?

 

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.15 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.15 is now available, and is a security & maintenance release.

This update includes compatibility improvements for PostgreSQL and recent PHP versions as well as minor optimizations.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.14 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.14 is now available, and is a security & maintenance release.

This update applies security patches and fixes minor issues related to the upgrade script included in the previous version.

  • 2 security vulnerabilities addressed:

    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 2 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.13 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.13 is now available, and is a security & maintenance release.

This update includes fixes related to compatibility with PostgreSQL, SQLite and PHP 7.2 and resolves attachment HTML output problems. Note that the theme’s CSS files may need to be updated. Please see this post on the community forum for more information.

  • 7 security vulnerabilities addressed:
    • High risk: Installer RCE on configuration file write — reported by pabstersac
    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Medium risk: Installer XSS — reported by pabstersac
    • Medium risk: Mod CP Edit Profile XSS — reported by Julian Rittweger
    • Low risk: Insufficient moderator permission check in delayed moderation tools — reported by Starpaul20 of MyBB Team
    • Low risk: Announcements HTML filter bypass
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 62 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.

If you would like to contribute to the Project, Get Involved.

Thanks,

MyBB Team

MyBB 1.8.12 Released – Security & Maintenance Release

Posted on by

MyBB 1.8.12 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 3 security vulnerabilities and 14 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Insufficient permission check in multiquote feature – reported by frostschutz
    • Medium risk: CSV macro injection on PM export – reported by Rico A. Silvallana
    • Low risk: Weak password reset codes & false positives – reported by Devilshakerz

Please view the 1.8.12 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.11 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 9 language files and 9 templates were changed or added.

If you’re using MyBB 1.8.11:

  • Download and use the Changed Files Package
    • MD5: 9ebfae510ec51bc27f7b0062f4f99394
    • SHA1: d97f0e13799661b5811245030ef9e56c597086ff
    • SHA256: 17eab833ae6f1a7653d324da3866573437a566f0c2e4f7b4ceddb23795a933f0
    • SHA512: 1b10d9d85dca44a854783f1e37afbec2aac9d657689d09147d414ae41835386f4d97ea0c686edb06fd5de13d2a929bccf7af67fd8af7d95cddc009c6f81812d8
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.10 or lower:

  • Download and use the full 1.8.12 Release Package
    • MD5: aa0e92e5e55b69f33cab3401994f767a
    • SHA1: 1a406afbb9343145877b0382ab479dc5d17d7813
    • SHA256: a6decde96ae84a2f34a40c2f175172be163ca1fb294c5e4cef5a6396c3eb9f42
    • SHA512: c5292eab2b9a6dbefe1a696aecdb3202a7d4c9f27de3983ba975c3381aaadd775537f4bd5e389eee18ee2237506a2c8e8bb60e2ec7f0f48483335c8e3a6a5ce4
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.8.11 & Merge System 1.8.11 Release

Posted on by

MyBB 1.8.11 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 3 security vulnerabilities and 32 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • High risk: XSS Injection in Email MyCode – reported by Zhiyang Zeng of Tencent security platform department
    • Medium risk: SSRF protection can be bypassed – reported by Orange Tsai of DEVCORE and Jasveer Singh of SEC Consult Vulnerability Lab
    • Low risk: Directory Traversal in smilie module – reported by Zhiyang Zeng of Tencent security platform department

Please view the 1.8.11 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.10 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 5 language files and 7 templates were changed or added.

If you’re using MyBB 1.8.10:

  • Download and use the Changed Files Package
    • MD5: f99cdecf3d96c8c39441c81d8468e4f6
    • SHA1: 323bec46d3da051fe5e9899e1a4ffdd8e538b5f5
    • SHA256: f3a50f31dc6045e63ccad826fd4fa35f1240891238f4fbcdaeb724835cd58f4d
    • SHA512: 4d9018f2e1f286dd447e4c4db0ba9be18b1c407ed63272711d11deb6a09d7e301967917d465e368d8ebdd046cc0c7c5a23308b8ed72f8d5f9e9307ba6a81f8e3
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.9 or lower:

  • Download and use the full 1.8.11 Release Package
    • MD5: d4d3de795b69b076264a007e7a989f64
    • SHA1: 5ca8bf23a8efe0940bfe3c6fba852676144ea134
    • SHA256: c95cf770fffb37f811bee17a828cea8f0c789f22069c1783f3fb6f567fa7ca43
    • SHA512: 9db6ec3894cd66a26dffb5682109e25073148f1c885f2e0638be8c7d95eb2ba5e16db6dc66087431e919d849acdb7c2c11c95e247e99f6f8f44bcc19fe721015
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.11

MyBB Merge System 1.8.11 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

What’s new in this version?

Thanks,

MyBB Team

Note about updated packages

The original packages have been replaced by updated packages to fix a compatibility issue causing warnings on certain PHP environments.

If you installed or updated your forums using either the full or changed files packages prior to 19:00 on April 6, 2017 GMT please download a fresh package from the links above and replace the following file:

  • inc/functions.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB 1.8.9 Released – Security & Maintenance Release

Posted on by

MyBB 1.8.9 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz

Please view the 1.8.9 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.8 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files and 85 templates were changed or added.

If you’re using MyBB 1.8.8:

  • Download and use the Changed Files Package
    • MD5: cd4f736ef9c3b20136203350468ad23d
    • SHA1: 3208c50d35aacc9d51d195de8ccc33aed1e3b1c6
    • SHA256: c153236148457ae1ea2a62b8c7c15a11a093ab436ae6ea416c8cf9ca2bf53687
    • SHA512: 1e16aeae125a1e2edf966866d53c51ce9b5d7568214c6244efc4976d4af16186e3f9f10f8eafbd5f5de3210a1fada6635fea7c97bb09afe3d1c9bf3e368bfa3d
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.7 or lower:

  • Download and use the full 1.8.9 Release Package
    • MD5: b1a8fbdb4d8a888f7757be14cd658662
    • SHA1: d30f95de2e2142a46e4a34e0d26a8d3f5762cb22
    • SHA256: cc4a015edb96b587a74b3d54c00bf2ecd4be6ff2efec8b24caae90c538b42e89
    • SHA512: b18ffd2797f2f6fc775fda7b47c6d4b63d36f0e8c57ee1ce6797de8e600f741df2cc1bce713723b12d2374e723289641ab3a10248f5ba53672f5765bed836056
  • Follow the Docs Upgrading Instructions

To update existing themes the following CSS code needs to be added to global.css:

.deleted_post_hidden {
	border-top: 2px solid #ccc;
	padding: 15px;
}

.deleted_post_collapsed {
	border-top: 3px solid #333;
	padding: 15px;
}

.deleted_post_collapsed .show_deleted_post {
	margin-top: -15px;
}

.deleted_post_collapsed .show_deleted_post a.button span {
	background-position: 0 -400px;
}

Note: JavaScript-related bugs discovered
We have found that some JavaScript-based functions (like the inline moderation) may not work properly under MyBB 1.8.9. Please refer to the Community thread for detailed instructions on how to patch the code while we prepare a fixed package.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.8.8 & Merge System 1.8.8 Release

Posted on by

MyBB 1.8.8 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Style import CSS overwrite on Windows servers – reported by patryk
    • Medium risk: SQL Injection in the users data handler – reported by afinepl
    • Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski
    • Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam
    • Low risk: Stored XSS in the ACP – reported by patryk
    • Low risk: Loose comparison false positives – reported by Devilshakerz
    • Low risk: Possible XSS injection in ACP users module – reported by afinepl

Please view the 1.8.8 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.7 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 23 language files and 64 templates were changed or added.

If you’re using MyBB 1.8.7:

  • Download and use the Changed Files Package
    • MD5: 43028accb46eecf8016ef5fdc4fe522a
    • SHA1: 2c9985353e87c8710bdcdcf1856b0a6c63961317
    • SHA256: bb479145b44f169c301c21425f78742d8cacd9fd9ef4543c2a5e39ab540f769e
    • SHA512: 47ddbd601d008e9cb7309b328d36df95f901d1935593ded61e70cef22dc1312257266e056e5ea9d214babfd47a0aeb9560e9d11a5abb8d68a244f442467c41854a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.6 or lower:

  • Download and use the full 1.8.8 Release Package
    • MD5: 2e09c9fd3b2416ac3fea9bada18d61e5
    • SHA1: 2b8469cb42c3a66ec7e3253aa0cced464585d3dd
    • SHA256: e63bd3ce5b8a7c4166102baa75f0aab1d12fc64379658a027d8bf49a437a469a
    • SHA512: 8dec5923737b11deae578ed02f259acda01ca5bcc9032bc01df1e2d77ce36c54f87e66e42850460c8ea07515d99d4b5da4a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

This update includes security fixes that may need your attention:

  • Additional rules disallowing access to the database backups directory (admin/backups/) were added to htaccess.txt and htaccess-nginx.txt, addressing a security issue affecting Windows installations – remember to update your configuration files.
  • $config['disallowed_remote_hosts'] and $config['disallowed_remote_addresses'] variables, containing default loopback hosts and IPv4 addresses, were added to the inc/config.php file, addressing a SSRF vulnerability – remember to update your configuration files and, if applicable, add further hosts and/or addresses that MyBB shouldn’t attempt to access.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.8

MyBB Merge System 1.8.8 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.7, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 5 bug fixes (View all)
  • Preliminary support for merges from vBulletin 5 installations. This module hasn’t had a lot of testing, so please report back with how vBulletin 5 merges go and always test your merge on a local machine first.

Important note

This will be the last release of the Merge System 1.8. We’re instead concentrating development efforts on MyBB 2.0 and a brand new Merge System to accompany it – please stay tuned for more news on the new merge system!

Thanks,

MyBB Team