MyBB 1.8.17 Released — Maintenance Release

MyBB 1.8.17 is now available, and is a maintenance release.

This update fixes several issues introduced by MyBB 1.8.16 such as not being able to log into forums.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.16 Released — Security & Maintenance Release

MyBB 1.8.16 is now available, and is a security & maintenance release.

This update includes compatibility fixes for database engines and recent PHP versions as well as performance and global security improvements. Note that the theme’s CSS files may need to be updated. If you use the login_attempt_check() function, note that its signature has changed.

 

  • 6 security vulnerabilities addressed:
    • High risk: Image & URL MyCode Persistent XSS — reported by Punisher_HF
    • Medium risk: Multipage Reflected XSS — reported by Dimaz Arno of Ethic Ninja
    • Low risk: ACP logs XSS — reported by Cillian Collins
    • Low risk: Arbitrary file deletion via ACP’s Settings — reported by Devilshakerz of MyBB Team
    • Low risk: Login CSRF — reported by Cillian Collins
    • Low risk: Non-video content embedding via Video MyCode — reported by Punisher_HF
  • 66 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

 

Issues on Upgrade?

 

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.15 Released — Security & Maintenance Release

MyBB 1.8.15 is now available, and is a security & maintenance release.

This update includes compatibility improvements for PostgreSQL and recent PHP versions as well as minor optimizations.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.14 Released — Security & Maintenance Release

MyBB 1.8.14 is now available, and is a security & maintenance release.

This update applies security patches and fixes minor issues related to the upgrade script included in the previous version.

  • 2 security vulnerabilities addressed:

    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 2 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.13 Released — Security & Maintenance Release

MyBB 1.8.13 is now available, and is a security & maintenance release.

This update includes fixes related to compatibility with PostgreSQL, SQLite and PHP 7.2 and resolves attachment HTML output problems. Note that the theme’s CSS files may need to be updated. Please see this post on the community forum for more information.

  • 7 security vulnerabilities addressed:
    • High risk: Installer RCE on configuration file write — reported by pabstersac
    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Medium risk: Installer XSS — reported by pabstersac
    • Medium risk: Mod CP Edit Profile XSS — reported by Julian Rittweger
    • Low risk: Insufficient moderator permission check in delayed moderation tools — reported by Starpaul20 of MyBB Team
    • Low risk: Announcements HTML filter bypass
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 62 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.

If you would like to contribute to the Project, Get Involved.

Thanks,

MyBB Team

A Fresh Perspective

Blog header image

MyBB has been making some changes lately, and if you haven’t noticed we’re here to give you the scoop. Discussion about bridging 1.x closer to 2.0 has been settling, and as such we have decided on the best course of action moving forward. This comes with some other updates, including the main site going responsive, our blog getting way more fun, setting up an official demo site, and speeding up that darn extension approval process.

MyBB.com

If you’ve browsed our site lately on mobile, you may have noticed that it can be a real pain to navigate. We believe it is time to change that. Rather than awaiting MyBB 2 to bring our website into the modern age, you can expect it to be updated very soon. The new site will feature a few things:

  • Modern Design – We are making sure to get the site up to modern design standards.
  • Fully Responsive – This is part of a larger goal to get all MyBB products responsive, we’re starting with the main site.
  • SEO – Finding pages on MyBB should be a much better experience through search engines.

If you have some time and want to leave some feedback, or if you just want to look at the new design, please visit the thread or repository linked below. Thanks!

New MyBB responsive design New MyBB responsive design repository

Blog

Our blog will be getting some love as well. We’re now creating our blog posts via a repository on GitHub, so you can help (Or just get a sneak peek at what the next blog will be about). If you have an idea for a blog post that we haven’t done yet, or think we could be doing something better, feel free to open an issue in the repository linked below.

New MyBB responsive design

Official Demo Site

You may or may not know this, but we keep the community forum as vanilla as possible so users can get a feel for what MyBB is, right out of the box. Unfortunately this limits some decisions we make where improving the community forum is concerned. Not only that, but it limits how users can explore a vanilla MyBB installation as well. We are going to be creating a demo website to solve both of these issues, allowing you as users to browse a clean installation of MyBB easily. Obviously these demo installs will be lacking a couple of features that a full blown install contains, such as the ability to install custom themes and plugins – this is purely a security precaution.

Providing a clean demo system for users also opens up the possibility for more changes to be made to the official community forum – such as updating the styling to fit in with the rest of the website – in the future.

You can expect work to begin on this project after the new website has launched. Stay tuned for further updates!

MyBB Extensions

Approval Process

It’s no secret that getting a modification approved on the MyBB website can be a slow process. The main offender for this is our mission to make sure submissions are safe and of good quality, which means exploring the code and installing them for ourselves. This just isn’t a sustainable practice and results in a lot of frustration.

To speed up your addon submissions, we’re going to be easing our policy for allowing submissions. The policy has been published in our documentation, check it out at the following link.

Mod submission policy

If you find an issue with one of these unapproved addons, or even one that has been approved, please report it to us via the Private Inquiries forum so we can investigate properly.

Paid Modification Support

We are also taking a look into our support of paid modifications. In the past, these have been banned from being posted anywhere on the forum. Paid authors create some great things, so we’d like to embrace them more going forward. Our current solution is allowing paid modifications in the Requests/Services/Jobs forum, which you can find below.

We’re also considering the possibility of adding thread prefixes to the Requests/Services/Jobs forum in an effort to easily distinguish the types of services available. If you have any suggestions regarding these categories, we’re all ears!

MyBB R/S/J Forum

MyBB Software Development Path

After a lot of discussion internally, on the forum and in Discord, we’ve decided on the path that the MyBB software will be following leading up to MyBB 2. While we can all agree that MyBB needs to be more modern, rewriting it entirely from scratch is an enormous task and is taking much longer than we anticipated. Judging from the input from users, as well as discussion among staff, our best option moving forward will be to further bridge the 1.x series toward MyBB 2, while updating it to be more usable and modern.

MyBB Poll results

We have not decided on any specifics, but have discussed some of the following options:

  • Use Twig
  • Use Sass
  • New, responsive theme
  • Improved user experience, meaning changes like alerts or conversations

All that we know for now is that the MyBB 1.x line needs to be improved, and we need your help on deciding what exactly will be changing. If you’d like to join in on the discussion, head over to the forum thread we’ve been using to discuss the software.

MyBB 2.0 forum thread

Moving Forward

Overall we think these changes will help bring MyBB into the modern age, and make things a lot more fun to take part in. We love reading what you, the users of MyBB have to say and take it all into consideration. If you’d like to have a discussion with us, please hop on Discord and let us know about it!

Join Discord

MyBB 1.8.12 Released – Security & Maintenance Release

MyBB 1.8.12 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 3 security vulnerabilities and 14 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Insufficient permission check in multiquote feature – reported by frostschutz
    • Medium risk: CSV macro injection on PM export – reported by Rico A. Silvallana
    • Low risk: Weak password reset codes & false positives – reported by Devilshakerz

Please view the 1.8.12 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.11 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 9 language files and 9 templates were changed or added.

If you’re using MyBB 1.8.11:

  • Download and use the Changed Files Package
    • MD5: 9ebfae510ec51bc27f7b0062f4f99394
    • SHA1: d97f0e13799661b5811245030ef9e56c597086ff
    • SHA256: 17eab833ae6f1a7653d324da3866573437a566f0c2e4f7b4ceddb23795a933f0
    • SHA512: 1b10d9d85dca44a854783f1e37afbec2aac9d657689d09147d414ae41835386f4d97ea0c686edb06fd5de13d2a929bccf7af67fd8af7d95cddc009c6f81812d8
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.10 or lower:

  • Download and use the full 1.8.12 Release Package
    • MD5: aa0e92e5e55b69f33cab3401994f767a
    • SHA1: 1a406afbb9343145877b0382ab479dc5d17d7813
    • SHA256: a6decde96ae84a2f34a40c2f175172be163ca1fb294c5e4cef5a6396c3eb9f42
    • SHA512: c5292eab2b9a6dbefe1a696aecdb3202a7d4c9f27de3983ba975c3381aaadd775537f4bd5e389eee18ee2237506a2c8e8bb60e2ec7f0f48483335c8e3a6a5ce4
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.8.11 & Merge System 1.8.11 Release

MyBB 1.8.11 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 3 security vulnerabilities and 32 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • High risk: XSS Injection in Email MyCode – reported by Zhiyang Zeng of Tencent security platform department
    • Medium risk: SSRF protection can be bypassed – reported by Orange Tsai of DEVCORE and Jasveer Singh of SEC Consult Vulnerability Lab
    • Low risk: Directory Traversal in smilie module – reported by Zhiyang Zeng of Tencent security platform department

Please view the 1.8.11 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.10 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 5 language files and 7 templates were changed or added.

If you’re using MyBB 1.8.10:

  • Download and use the Changed Files Package
    • MD5: f99cdecf3d96c8c39441c81d8468e4f6
    • SHA1: 323bec46d3da051fe5e9899e1a4ffdd8e538b5f5
    • SHA256: f3a50f31dc6045e63ccad826fd4fa35f1240891238f4fbcdaeb724835cd58f4d
    • SHA512: 4d9018f2e1f286dd447e4c4db0ba9be18b1c407ed63272711d11deb6a09d7e301967917d465e368d8ebdd046cc0c7c5a23308b8ed72f8d5f9e9307ba6a81f8e3
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.9 or lower:

  • Download and use the full 1.8.11 Release Package
    • MD5: d4d3de795b69b076264a007e7a989f64
    • SHA1: 5ca8bf23a8efe0940bfe3c6fba852676144ea134
    • SHA256: c95cf770fffb37f811bee17a828cea8f0c789f22069c1783f3fb6f567fa7ca43
    • SHA512: 9db6ec3894cd66a26dffb5682109e25073148f1c885f2e0638be8c7d95eb2ba5e16db6dc66087431e919d849acdb7c2c11c95e247e99f6f8f44bcc19fe721015
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.11

MyBB Merge System 1.8.11 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

What’s new in this version?

Thanks,

MyBB Team

Note about updated packages

The original packages have been replaced by updated packages to fix a compatibility issue causing warnings on certain PHP environments.

If you installed or updated your forums using either the full or changed files packages prior to 19:00 on April 6, 2017 GMT please download a fresh package from the links above and replace the following file:

  • inc/functions.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB 1.8.10 Released – Maintenance Release

MyBB 1.8.10 is now available from the MyBB website, and is maintenance release.

What’s added/changed in this version?

This release fixes 22 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

We’ve decided to publish MyBB 1.8.10 only 3 weeks after the previous release to fix an issue breaking some Javascript-based features that was introduced with MyBB 1.8.9.

Please view the 1.8.10 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.9 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 5 language files and 11 templates were changed or added.

If you’re using MyBB 1.8.9:

  • Download and use the Changed Files Package
    • MD5: 9695cb97ff6928640c72436ce3667b05
    • SHA1: 16fd567b118525e0619c6749f27da96c8ceec1a9
    • SHA256: 6eae4b078283a533797ee9692d436b45309c79af4657c9885f79606c50365ec3
    • SHA512: 124cdafcfad72a72ad71d8bbab1c30c335e20edfa89af1976963531e7bebcfdcb4e353a11191d3ef3b2af66effe402e30e093f52c3bea3b3e17d68f6247ba7d9
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.8 or lower:

  • Download and use the full 1.8.10 Release Package
    • MD5: 40868d918262384ce4c1d31399f66b4d
    • SHA1: 192f0c7949e867c800bafd06640bf4b7d1cac6ea
    • SHA256: 34907b26e7534327b828ae7d98d4ab9e5184f985ef8c155fd2b8690809ce6dc0
    • SHA512: cb4584f00c60b757f9ce72e16a8eb8596cc8d4d22bed38085b6967706ab08c1c1bdeb7effba578c388156b57862266a8b30ce181c47968ddb1c1ce7691bec66b
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated packages

The original packages have been replaced by updated packages to fix an issue causing incorrect last post information on index.

If you installed or updated your forums using either the full or changed files packages prior to 20:00 p.m. on January 12, 2017 GMT please download a fresh package from the links above and replace the following file:

  • inc/datahandlers/post.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB 1.8.9 Released – Security & Maintenance Release

MyBB 1.8.9 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz

Please view the 1.8.9 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.8 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files and 85 templates were changed or added.

If you’re using MyBB 1.8.8:

  • Download and use the Changed Files Package
    • MD5: cd4f736ef9c3b20136203350468ad23d
    • SHA1: 3208c50d35aacc9d51d195de8ccc33aed1e3b1c6
    • SHA256: c153236148457ae1ea2a62b8c7c15a11a093ab436ae6ea416c8cf9ca2bf53687
    • SHA512: 1e16aeae125a1e2edf966866d53c51ce9b5d7568214c6244efc4976d4af16186e3f9f10f8eafbd5f5de3210a1fada6635fea7c97bb09afe3d1c9bf3e368bfa3d
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.7 or lower:

  • Download and use the full 1.8.9 Release Package
    • MD5: b1a8fbdb4d8a888f7757be14cd658662
    • SHA1: d30f95de2e2142a46e4a34e0d26a8d3f5762cb22
    • SHA256: cc4a015edb96b587a74b3d54c00bf2ecd4be6ff2efec8b24caae90c538b42e89
    • SHA512: b18ffd2797f2f6fc775fda7b47c6d4b63d36f0e8c57ee1ce6797de8e600f741df2cc1bce713723b12d2374e723289641ab3a10248f5ba53672f5765bed836056
  • Follow the Docs Upgrading Instructions

To update existing themes the following CSS code needs to be added to global.css:

.deleted_post_hidden {
	border-top: 2px solid #ccc;
	padding: 15px;
}

.deleted_post_collapsed {
	border-top: 3px solid #333;
	padding: 15px;
}

.deleted_post_collapsed .show_deleted_post {
	margin-top: -15px;
}

.deleted_post_collapsed .show_deleted_post a.button span {
	background-position: 0 -400px;
}

Note: JavaScript-related bugs discovered
We have found that some JavaScript-based functions (like the inline moderation) may not work properly under MyBB 1.8.9. Please refer to the Community thread for detailed instructions on how to patch the code while we prepare a fixed package.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team