Tag Archives: 1.4

MyBB 1.6.3 and 1.4.16 Security Update

Posted on by

MyBB 1.6.3 and 1.4.16 are now available to download. They fix 1 high risk vulnerability and 1 low risk vulnerability. We recommend everyone upgrades to this release immediately or patch their boards with the manual patching instructions below.

Thanks to Charlie Somerville and thebod for discovering them. These vulnerabilities are:

In addition to the vulnerabilities, the updates also fix the following issues:

All other outstanding issues will be resolved in the next maintainence release.

For MyBB 1.6

The update to MyBB 1.6.3 also upgrades the Prototype and Scriptaculous javascript libraries to their latest versions. This is to help your MyBB forum work properly with Internet Explorer 9.

MyBB 1.6.2 to 1.6.3 Patch
This patch is only for those users running MyBB 1.6.2. If you’re running an older version of MyBB then please download the full version and update to it.

For help upgrading, see the MyBB Wiki: Upgrading.

Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.

1.6.3 changed files

You are required to run the upgrader for 1.6.3. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.

Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.

If you wish to manually patch your board please download “1.6.3 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.6.3 template patches” and follow the instructions – you must do these for all custom themes you have installed.

1.6.3 patches
1.6.3 template patches

Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.

Changed Files since 1.6.2

  • inc
    • class_core.php
    • functions_search.php
  • install
    • resources
      • mysql_db_tables.php
      • mybb_theme.xml
      • upgrade12.php
      • upgrade17.php
      • upgrade19.php
      • upgrade3.php
      • upgrade5.php
    • upgrade.php
  • jscripts
    • controls.js
    • dragdrop.js
    • effects.js
    • general.js
    • prototype.js
    • scriptaculous.js
    • slider.js
    • thread.js
  • forumdisplay.php
  • index.php
  • misc.php
  • showthread.php

* Red represents files that contain security updates
* Green represents new files added in this release

For MyBB 1.4

For MySQL 5.5 compatibility and IE9 javascript fixes, please upgrade to MyBB 1.6.3. Support for MyBB 1.4 will be ending on 1st July 2011, after which there will be no more security updates for the 1.4 series.

1.4.15 to 1.4.16 Patches
This patch is only for those users running MyBB 1.4.15. If you’re running an older version of MyBB 1.4, and don’t want to upgrade to 1.6 just yet, then please the latest version of MyBB 1.4 from the MyBB Wiki: Versions.

For help upgrading, see the MyBB Wiki: Upgrading.

Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.

1.4.15 changed files

You are required to run the upgrader for 1.4.16. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.

Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.

If you wish to manually patch your board please download “1.4.16 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.4.16 template patches” and follow the instructions – you must do these for all custom themes you have installed.

1.4.15 patches
1.4.15 template patches

Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.

Changed Files since 1.4.15

  • inc
    • class_core.php
    • functions_search.php
  • install
    • resources
      • mybb_theme.xml
    • upgrade.php
  • jscripts
    • general.js
  • forumdisplay.php
  • index.php
  • misc.php
  • showthread.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

MyBB 1.6.2 and 1.4.15 – Security Update

Posted on by

MyBB 1.6.2 is a security update to the 1.6 series. It fixes 2 medium risk security vulnerabilities and one low risk issue. We recommend everybody upgrades to this release as soon as possible – or patch their boards with the manual instructions below.

MyBB 1.4.15 is also a security update to the 1.4 series which is affected by the same vulnerabilities.

Thank you to MustLive (Websecurity), MattRogowski and Max Roth for alerting us of these issues.

What’s fixed in this version?

The medium-risk issue reported by Max Roth requires HTML in posts to be enabled in a forum. This issue was fixed as part of Issue #1422. Even if you don’t have HTML enabled in posts, it is still recommended to update to resolve this issue.

MyBB 1.6.1 to MyBB 1.6.2 Patch

This patch is only for users running MyBB 1.6.1. If you are running an older version of MyBB then please download MyBB 1.6.2 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
This update does not require running the upgrader.

The following files have changed since the initial 1.6.1 release:

  • admin
    • modules
      • tools
        • modlog.php
  • inc
    • class_core.php
    • class_parser.php
  • jscripts
    • validator.js
  • member.php
  • modcp.php
  • xmlhttp.php

* Red represents files that contain security updates
* Green represents new files added in this release

changed_files_1602.zip

If you wish to manually patch your board please download “mybb_1601_patches.txt” and follow the instructions in that file.

mybb_1601_patches.txt

MyBB 1.4.14 to MyBB 1.4.15 Patch

This patch is only for users running MyBB 1.4.14 who have updated their forum when 1.6.1 and 1.4.14 Update was released. If you have not made these updates or are unsure whether you have – and you don’t want to upgrade to 1.6 – then please download 1.4.15 from the MyBB site and update to it.

mybb_1414_patches.txt

To ensure users of the 1.4 series have all the recent security updates the following changed files package contains updates since 1.4.13. The changes to files are mentioned below. If you are still using the 1.4 series, then please make sure that all these files have been updated to keep your forum secure (either by updating to 1.4.15, uploading the changed files package, finding differences using a file difference tool or patches from blog posts).

It is heavily recommended that you upgrade to 1.6.

  • admin
    • modules
      • tools
        • modlog.php
  • inc
    • datahandlers
      • post.php
    • class_core.php
    • class_parser.php
    • functions.php
    • functions_search.php
  • jscripts
    • validator.js
  • attachment.php
  • editpost.php
  • forumdisplay.php
  • member.php
  • modcp.php
  • newreply.php
  • syndication.php
  • xmlhttp.php

* Red represents files that contain security updates
* Green represents new files added in this release

changed_files_1415.zip

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

MyBB 1.4.14 Released – Maintenance Release

Posted on by

MyBB 1.4.14 is now available on the MyBB website and is a general maintenance release.

This release fixes a few reported issues with version released since 1.4.13 causing some incorrect functionality of MyBB. These bugs have been fixed to provide a more stable version of MyBB for public use. This will be the last maintenance release to the MyBB 1.4 series.

What’s added/changed in this version?

  • MyBB 1.4.14 is now fully compatible with PHP 5.3.
  • Attachment management now properly checks for the post key.

This release has been tested by our Software Quality Assurance group.

Information on upgrading, template changes and language changes can be found in the posts below.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from the 1.4 series

When upgrading from 1.4.13, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files here:

changed_files_1414.zip

You must then check for modified templates using the instructions below.

Upgrading from other versions

If you are upgrading from a version earlier than 1.2 then you will lose your custom themes, templates and language packs due to the number of changes between your version and the 1.2 series.

Before you attempt to upgrade, ensure you have a database backup and a copy of the files currently in use on your board. This is so you can revert back to your earlier version if you need to or something goes horribly wrong with the upgrade process.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process.

Changed files since MyBB 1.4.13

  • editpost.php
  • newreply.php
  • newthread.php
  • admin
    • modules
      • home
        • version_check.php
      • config
        • plugins.php
  • install
    • index.php
    • upgrade.php
    • resources
      • upgrade16.php
  • inc
    • class_core.php
    • init.php
    • function_serverstats.php
    • languages
      • english.php

* Red represents files that contain security updates
* Green represents new files added in this release

Bugs fixed since MyBB 1.4.13

  • #180 – PHP 5.3/6.0 Changes & Support
  • #630 – PHP 5.1+ generates “date_default_timezone_set” warning on every page
  • #959 – Magic Quotes Check
  • #1077 – Post key not checked for attachment management

Theme and template changes

There have been no template changes in this release.

Language file changes

There have been no language file changes in this release.

Plugins

All of your MyBB 1.4.x plugins will work correctly with 1.4.14 without any updates.

MyBB 1.4.13 Released – Security Patches to MyBB 1.4.12

Posted on by

MyBB 1.4.13 is now available on the MyBB website and is a patch to MyBB 1.4.12 which introduced two regressions related to the security updates in MyBB 1.4.12.

This release is to ensure that all users on 1.4.12 have the proper security patches applied to their forum.

Thank you to Pirata Nervo and Labrocca for alerting us of these issues and to Stefan Esser for assisting us in a patch for Issue #843.

What’s fixed in this version?

This update does not require running the upgrader.
There are no database schema, language string, or template changes in this version.

MyBB 1.4.12 to MyBB 1.4.13 Patch

This patch is only for users running MyBB 1.4.12. If you are running an older version of MyBB then please download MyBB 1.4.13 from the MyBB site and update to it using the general [Wiki: Upgrading] guide.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
changed_files_1413.zip

Alternatively, if you are running MyBB 1.4.11, you may follow the “MyBB 1.4.11 to MyBB 1.4.12 Patch” instructions in the MyBB 1.4.12 announcement and then apply the MyBB 1.4.12 to MyBB 1.4.13 patch above.

The following files were changed since the initial MyBB 1.4.12 release:

  • inc
    • datahandlers
      • post.php
    • functions.php
    • class_core.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

All users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.13) MyBB 1.2 is no longer being supported and security updates for the MyBB 1.2 series ceased as of January 1, 2010.

Thank you,
MyBB Team

MyBB 1.4.12 Released – Security & Maintenance Update

Posted on by

MyBB 1.4.12 is now available on the MyBB website and is a security and maintenance update to MyBB 1.4.11. This will be the last maintenance release of the MyBB 1.4 series. We will still continue to provide security updates for the MyBB 1.4 series.

This release is to ensure that all users on 1.4.11 have the latest fixes, and to patch two medium-risk security issues and a low risk security issue within MyBB.

Thank you to Stefan Esser and Labrocca for alerting us of these issues.

What’s fixed in this version?

  • #309 – Direct access of some files generates PHP errors
  • #374 – editpost editpost_start hook run twice
  • #466 – Last post date after custom merge
  • #556 – Wrong additional groups in ACP
  • #565 – Custom view in browse users error
  • #575 – Redundant Code in inc/class_parser.php
  • #583 – UTF8-conversion fails with PostgreSQL
  • #586 – Posts after updating the attachments of drafts
  • #592 – Forum subrscription displaying always the wrong image
  • #593 – Image upload
  • #594 – portal_pms template not getting cached
  • #597 – $yearsel not defined
  • #598 – Split thread – post icon
  • #604 – Make private event public
  • #606 – Server Statistics – Hostname and hosturl not working
  • #609 – Wrong first day of week in week view
  • #613 – Error is invalid smilie path is used
  • #618 – Alternating trows on profile page
  • #621 – global_pm_alert template typo dismis_notice
  • #622 – Reputation by a deleted user
  • #623 – Upgrade 1.1.18 -> 1.4.11
  • #627 – private_nomessages template not getting cached
  • #632 – Settings not selected if error appears
  • #634 – firstpost of copied thread set to 0
  • #643 – Missing field when fetching latest announcements into portal page
  • #647 – function generate_thumbnail generates warning
  • #650 – Status Icon of Forum not shown on Forum Subscription List
  • #660 – forumdisplay_rules not cached
  • #662 – member.php and $referrals
  • #672 – threadviews task won’t disable from settings change
  • #673 – Typo in member.lang.php $l[‘hide_dob’]
  • #678 – Hard-coded language string in /admin/modules/style/templates.php
  • #684 – Typo in postbit when ignoring users
  • #685 – Akismet “unmark” does not reduce number of “akismetstopped” field.
  • #688 – Old avatars are not deleted
  • #689 – Usercp.php + Modcp.php – XHTML 1.0 Problem ($bdaymonthsel)
  • #703 – Mass Mail Auto Generated Text Version
  • #716 – Error reads “[WRITE] Unable to slave database”, should be select
  • #720 – UTF8 conversion causes mysql error on blob/text fields
  • #722 – Group Join Requests From Guests
  • #727 – Converting a forum with threads to a category should be disallowed
  • #728 – Post Edit bypasses max. [img] MyCodes per Post
  • #749 – Portal “Since then, there have been:” counts unapproved threads and drafts
  • #750 – Theme importing ignored error
  • #759 – Stars are shown on user profile even if they are set to 0 for the group
  • #764 – attachment MyCode isn’t parsed in feeds
  • #774 – mysqli_pconnect function not exists
  • #778 – db reconstruction in inc/functions.php $config check fails
  • #791 – Ratings column of forum display ignores group settings
  • #794 – Badwords preg_quote fix
  • #802 – Stars are shown in Postbit even if they are set to zero and no image is linked
  • #809 – Unviewable threads showing on portal
  • #810 – Portal post shows smilies even when set not to in post
  • #812 – allow [img] in posts depends on MyCode being allowed
  • #816 – Duplicate htmlspecialchar in inc/functions_online.php
  • #821 – syndication.php errors
  • #822 – Use of $_POST in ./xmlhttp.php
  • #835 – MyBB, dl(), and PHP 5.3.x – no dl() in many 5.3.x releases
  • #836 – Debug code left in inc/class_mailhandler.php
  • #843 – Improvements to PHP’s mt_rand RNG seeding
  • #849 – We can set date of birth as future date
  • #852 – CSRF issue in usercp2.php
  • #862 – Rebuilding Attachment Thumbnails Plugin Hook Name
  • #870 – Missing warning messages
  • #871 – Datahandler merge ignores updating post message variable

This release has been tested by our Software Quality Assurance group.

This update does require running the upgrader.
There are database schema, language string, or template changes in this version.

MyBB 1.4.11 to MyBB 1.4.12 Patch

This patch is only for users running MyBB 1.4.11. If you are running an older version of MyBB then please download MyBB 1.4.12 from the MyBB site and update to it using the general [Wiki: Upgrading] guide.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
changed_files_1412.zip

A manual patch file is not being offered for this release due to the multitude of changes required to implement the security fix. We apologize for any inconvenience this causes.

The following files were changed since the initial MyBB 1.4.11 release:

  • announcements.php
  • calendar.php
  • captcha.php
  • editpost.php
  • forumdisplay.php
  • managegroup.php
  • member.php
  • modcp.php
  • newreply.php
  • newthread.php
  • portal.php
  • private.php
  • reputation.php
  • showthread.php
  • syndication.php
  • usercp.php
  • usercp2.php
  • xmlhttp.php
  • jscripts
    • inline_moderation.js
  • install
    • resources
      • mybb_theme.xml
      • upgrade16.php
  • admin
    • index.php
    • modules
      • forum
        • management.php
      • user
        • mass_mail.php
        • users.php
      • config
        • mod_tools.php
        • settings.php
        • smilies.php
      • tools
        • recount_rebuild.php
        • system_health.php
      • style
        • templates.php
        • themes.php
  • inc
    • class_core.php
    • class_custommoderation.php
    • class_mailhandler.php
    • class_moderation.php
    • class_parser.php
    • db_mysqli.php
    • functions.php
    • functions_image.php
    • functions_online.php
    • functions_serverstats.php
    • functions_upload.php
    • functions_user.php
    • init.php
    • plugins
      • akismet.php
    • languages
      • english
        • global.lang.php
        • member.lang.php
        • messages.lang.php
        • warnings.lang.php
        • admin
          • forum_management.lang.php
          • user_groups.lang.php
    • datahandlers
      • post.php
      • user.php
    • cachehandlers
      • eaccelerator.php
      • memcache.php
      • xcache.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

All users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.12) MyBB 1.2 is no longer being supported and security updates for the MyBB 1.2 series ceased as of January 1, 2010.

Thank you,
MyBB Team

Important Update: April 16, 2010

If you applied the MyBB 1.4.12 update before April 16, 2010 7:00 UTC we recommend you redownload the changed file package and reupdate the inc/functions.php file to your forum. The change fixes an issue identified in the previous hot patch relating to the random number generator. We are sincerely sorry for the inconvenience caused by this.

Thank you for your cooperation.

MyBB 1.4.11 Released – Minor Patch & Security Update

Posted on by

MyBB 1.4.11 is now available on the MyBB website and is a minor patch update to 1.4.10.

This release is to ensure that all users on 1.4.10 have the latest patches, to fix a small and rare bug that with malicious intent can be used to assist a Denial-of-Service attack, and to patch a low security issue that can allow a user to check for file existence outside of the web root.

Thank you to Labrocca and Secunia (through a third party) for alerting us of these issues.

What’s fixed in this version?

This release has been tested by our Software Quality Assurance group.

This update does not require running the upgrader.
There are no database schema, language string, or template changes in this version.

MyBB 1.4.10 to MyBB 1.4.11 Patch

This patch is only for users running MyBB 1.4.10. If you are running an older version of MyBB then please download MyBB 1.4.11 from the MyBB site and update to it using the general [Wiki: Upgrading] guide.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
changed_files_1411.zip

If you wish to manually patch your board please download “mybb_1410_patches.txt” and follow the instructions in that file.
mybb_1410_patches.txt

The manual patch set instructions only fixes the security vulnerabilities and is only made available to temporarily secure your forum until you have time to run the complete upgrade.

The following files were changed since the initial MyBB 1.4.10 release:

  • admin
    • modules
      • style
        • templates.php
      • tools
        • backupdb.php
      • user
        • users.php
  • inc
    • datahandlers
      • event.php
      • user.php
    • class_core.php
    • class_error.php
    • class_moderation.php
    • functions_upload.php
    • functions_time.php
    • tasks
      • backupdb.php
  • calendar.php
  • usercp.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

Please follow step #1 in the mybb_1410_patches.txt file as listed above.

Please note all users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.11) MyBB 1.2 is no longer being supported and security updates for the MyBB 1.2 series will only last through December 2009.

Thank you,
MyBB Team

MyBB 1.4.10 Released – Maintenance Release

Posted on by

MyBB 1.4.10 is now available on the MyBB website and is a general maintenance release.

This release fixes several reported issues with version released since 1.4.8 causing some incorrect functionality of MyBB. These bugs have been fixed to provide a more stable version of MyBB for public use.

What’s added/changed in this version?

  • MyBB 1.4.10 is now compatible with PHP 5.3.
  • Server Statistics are now sent to MyBB at the end of installation for analytical purposes. This is of course anonymous, no confidential information is sent, and you may easily opt out if you wish.
  • … many other bug fixes

This release has been tested by our Software Quality Assurance group.

Information on upgrading, template changes and language changes can be found in the posts below.

Please note, that you need to run the upgrade script for this version.
This is so the templates may be updated.
There are no database schema changes in this version.

Upgrading from the 1.4 series

When upgrading from 1.4.9, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files here:

changed_files_1410.zip

You must then check for modified templates using the instructions below.

Upgrading from other versions

If you are upgrading from a version earlier than 1.2 then you will lose your custom themes, templates and language packs due to the number of changes between your version and the 1.2 series.

Before you attempt to upgrade, ensure you have a database backup and a copy of the files currently in use on your board. This is so you can revert back to your earlier version if you need to or something goes horribly wrong with the upgrade process.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process.

Changed files since MyBB 1.4.8

  • calendar.php
  • forumdisplay.php
  • global.php
  • managegroup.php
  • member.php
  • modcp.php
  • moderation.php
  • portal.php
  • private.php
  • search.php
  • stats.php
  • usercp.php
  • xmlhttp.php
  • admin
    • inc
      • functions_themes.php
      • functions_view_manager.php
    • modules
      • home
        • credits.php
      • forum
        • attachments.php
        • management.php
      • style
        • templates.php
        • themes.php
      • config
        • mycode.php
        • plugins.php
        • settings.php
      • tools
        • backupdb.php
        • mailerrors.php
        • maillogs.php
        • tasks.php
      • user
        • admin_permissions.php
        • group_promotions.php
        • groups.php
        • mass_mail.php
        • users.php
  • install
    • index.php
    • upgrade.php
    • resources
      • language.lang.php
      • mybb_theme.xml
      • output.php
      • upgrade16.php
  • inc
    • class_core.php
    • class_error.php
    • class_feedgeneration.php
    • class_moderation.php
    • class_parser.php
    • db_pdo.php
    • db_pgsql.php
    • functions.php
    • functions_forumlist.php
    • functions_online.php
    • functions_post.php
    • functions_search.php
    • functions_serverstats.php
    • functions_upload.php
    • init.php
    • 3rdparty
      • diff
        • Diff.php
    • languages
      • english.php
      • english
        • datahandler_user.lang.php
        • modcp.lang.php
    • datahandlers
      • event.php
      • pm.php
      • user.php
    • cachehandlers
      • eaccelerator.php
      • memcache.php
      • xcache.php
    • tasks
      • backupdb.php
      • massmail.php
      • promotions.php

* Red represents files that contain security updates
* Green represents new files added in this release

Bugs fixed since MyBB 1.4.8

  • #180 – PHP 5.3/6.0 Changes & Support
  • #249 – Server statistics on installation
  • #297 – Old Credits Updated
  • #307 – Mysql Backups – keys not quoted
  • #308 – PostgreSQL error in Forum Management -> Edit Forum
  • #309 – Direct access of some files generates PHP errors
  • #310 – Multiple Smilies PHP Error
  • #311 – RSS Feed incorrect formatting
  • #318 – search_results_inlinemodcol Template Oversight
  • #319 – Forum announcements trow do not alternate
  • #320 – Mod-CP – Edit User & Birthday
  • #321 – Future mass mailings
  • #322 – HTML in forum names in 1.4.8
  • #323 – Delete a PM using the delete button
  • #324 – Maximum Length in Custom Profile Fields do not work
  • #332 – SQLite version
  • #333 – Captcha not shown if board is closed
  • #334 – Missing label tag
  • #335 – Board Statistics inconsistency
  • #336 – Profile Display Problem: usereputationsystem
  • #353 – ACP – group # of users when using additional groups bug
  • #354 – System mail log: Wrong multipage links
  • #355 – member.php custom profile fields alternating trow issue
  • #356 – Search finduserthreads problem with limit
  • #358 – PHP 5.3 my_number_format stats.php PHP warning
  • #359 – Selective delete system mail logs not working
  • #360 – capitalized LIMIT clause in db abstraction layer queries
  • #361 – Hard-coded language string in admin permissions page
  • #364 – Post not quoted from Reply button
  • #366 – Merged Accounts and Join Date
  • #367 – Who’s online do_addsubscription and removesubscriptions
  • #368 – Search PHP error
  • #369 – UserCP Ampersand in link not valid
  • #370 – Copy forum – forum can have no parent
  • #371 – Backup DB and Check File task enabling warning
  • #372 – Syndication: Atom and RSS different time
  • #373 – Buddy List doesn’t show invisible users as online
  • #381 – </tr> tag missing in template member_register_customfield
  • #382 – Email notification about errors not working
  • #383 – [PM] "Replied to" icon not shown if you replied to all recipients
  • #385 – "create new forum" generates postgresql error
  • #386 – multiple forums memcache bug
  • #387 – Custom Profile Fields using Check Boxes option forgets settings
  • #388 – Inline Thread Deletion and Reported Posts
  • #389 – thread views is stuck if php shutdown function not enabled.
  • #392 – postgres "Split Threads" SQL error
  • #394 – Naming an admin with special characters during installation doesn’t "work"
  • #400 – Profile Editing
  • #401 – Inline Moderation – do_multideleteposts
  • #411 – Highlighted search results..
  • #412 – Promotion bug
  • #414 – 1.4.6, pgsql, ‘move thread’ gives SQL error
  • #416 – Group Promotions not Working or ‘Broke’?
  • #417 – Unapproved threads post count
  • #423 – Users browsing a redirect forum
  • #426 – Problems with language changes in several areas…
  • #429 – MyBB Backups do not preserve NULL and whitespace
  • #441 – Deleting a copied thread deletes the attachments of the original thread too
  • #442 – Wrong dateline of split thread
  • #451 – Unread PM notice dissapears after editing options
  • #452 – Upgraded forums issue with themestylesheets cachefile column
  • #457 – Double Template Rows
  • #460 – Attachment search not working correctly
  • #462 – missing "replied to" at PM replied via draft
  • #463 – latest threads on portal page
  • #466 – Last post date after custom merge
  • #468 – Post count accepts minus numbers
  • #473 – unresetted variable in view manager
  • #476 – Subforum of password protected forum searchable
  • #479 – postgresql merge users error
  • #482 – There was a problem communicating with the mod version server.
  • #501 – Hidden fields in profiles and Moderators
  • #507 – Max password length
  • #511 – managegroup.php and displaygroup
  • #516 – Warning with custom profile field
  • #517 – Incomplete theme exports
  • #518 – Missing mod log entry
  • #521 – Display and sort by rating doesn’t work in PostgreSQL
  • #524 – Slight typo in ./inc/functions.php
  • #531 – Findguest/user search error
  • #532 – Email validation weakness
  • #533 – Admincp User Merge and Disabled Forum Postcount
  • #536 – Editing recurring event
  • #541 – Some in cases in error handler don’t work as expected
  • #547 – Warnings when adding a group promotion
  • #549 – Cannot edit bio

Theme and template changes

Using the “Find Updated” link under the “Templates” page in the Admin CP you can find a list of the templates that have changed in this release that you’ve got one or more custom copies of.

After identifying changed templates using the tool you can either revert your custom template to the default (delete it) or use the “diff” tool to perform a difference analysis on your custom template and the default.

“Revert required” indicates that for this template to work correctly with MyBB 1.4.8 you’ll either need to revert it to the default or modify your custom template to include the changes in the default. If a revert is not required your custom version of the template should work perfectly fine.

Template changes

Since MyBB 1.4.8 the following templates have had changes to them:

  • member_register_customfield
  • posticons
  • postbit_ignored

* Red represents the template must be updated or reverted to fix security problems

Language file changes

Since MyBB 1.4.8 the following language files have had changes to them:

  • datahandler_user.lang.php

Either update your language packs to include the changes in these files or revert to the standard English language pack.

Plugins

Most of your MyBB 1.4.x plugins will work correctly with 1.4.10 without any updates.

IMPORTANT Update: December 8th, 2009

Due to a regression introduced by a change between MyBB 1.4.9 and MyBB 1.4.10 if you downloaded the MyBB 1.4.10 package or update before December 7th, 2009, we are releasing a patch to fix this issue.

Open /admin/modules/style/templates.php and find near line 531:

// Only allow users to move non-default templates to stop them from being able to delete it!
if($template['sid'] == "-2")
{
echo $form->generate_hidden_field("sid", "-2");
}
else
{
$form_container->output_row($lang->template_set, $lang->template_set_desc, $form->generate_select_box('sid', $template_sets, $sid));
}

and replace with:

// Force users to save the default template to a specific set, rather than the "global" templates - where they can delete it
if($template['sid'] == "-2")
{
unset($template_sets[-1]);
}

$form_container->output_row($lang->template_set, $lang->template_set_desc, $form->generate_select_box('sid', $template_sets, $sid));

We apologize for this inconvenience!

MyBB 1.4.9 Released – Security Update

Posted on by

MyBB 1.4.9 is a security update to the MyBB 1.4 series. It fixes 1 high risk security vulnerability and two low risk issues. We recommend everybody upgrades to this release immediately or patch their boards with the manual patching instructions below.

These vulnerabilities affects MyBB 1.4.8. MyBB 1.2 is also affected.

Thank you to endeavormac, frostschutz, and TheLinx for alerting us of these issues.

MyBB 1.4.8 to MyBB 1.4.9 Patch

This patch is only for users running MyBB 1.4.8. If you are running an older version of MyBB then please download MyBB 1.4.9 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

changed_files_1409.zip

If you wish to manually patch your board please download “mybb_1408_patches.txt” and follow the instructions in that file.

mybb_1408_patches.txt

Please Note: You do not have to run the upgrade script for this release.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

Please follow step #1 in the mybb_1408_patches.txt file as listed above.

Please note all users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.9) MyBB 1.2 is no longer being supported, though security updates for the MyBB 1.2 series will last through December 2009.

MyBB 1.4.8 Released – Maintenance & Security Release

Posted on by

MyBB 1.4.8 is now available on the MyBB website and is a general maintenance and security release.

This release fixes several reported issues with version released since 1.4.6 causing some incorrect functionality of MyBB. These bugs have been fixed to provide a more stable version of MyBB for public use.

What’s added/changed in this version?

  • One Low XSS Vulnerability fixed in the Archive – This is tagged as low because it requires moderator permissions. This vulnerability was discovered and reported by frostschutz.
  • One Medium XSS vulnerabilities fixed in Attachments – This vulnerability was reported by frostschutz.
    Please note that this patch will remove the ability to open some types of attachments directly in your browser (e.g. QuickTime Movies), and will instead ask you to download them.
  • … Several other bug fixes

This release has been tested by our Software Quality Assurance group.

MyBB 1.4.7 to MyBB 1.4.8 Patch

This patch is only for users running MyBB 1.4.7. If you are running any other version of the MyBB 1.4 series then please download MyBB 1.4.8 from the MyBB site and update to it.

If you wish to manually patch your board please download “mybb_1407_patches.txt” and follow the instructions in that file.

mybb_1407_patches.txt

The manual patch set instructions only fixes the security vulnerabilities and is only made available to temporarily secure your forum until you have time to run the complete upgrade.

Information on upgrading, template changes and language changes can be found in the posts below.

Please note, that you need to run the upgrade script for this version.
This is so the templates may be updated.
There are no database schema changes in this version.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

Users running MyBB 1.2.14 or any previous release of the MyBB 1.2 series may use the same manual instructions provided in the “mybb_1407_patches.txt” attachment (excluding the version change).

Upgrading from the 1.4 series

When upgrading from 1.4.7, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files here:

changed_files_1408.zip

You must then check for modified templates using the instructions below.

Upgrading from other versions

If you are upgrading from a version earlier than 1.2 then you will lose your custom themes, templates and language packs due to the number of changes between your version and the 1.2 series.

Before you attempt to upgrade, ensure you have a database backup and a copy of the files currently in use on your board. This is so you can revert back to your earlier version if you need to or something goes horribly wrong with the upgrade process.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process.

Changed files since MyBB 1.4.6

  • announcements.php
  • attachment.php
  • forumdisplay.php
  • global.php
  • member.php
  • report.php
  • search.php
  • sendthread.php
  • showthread.php
  • syndication.php
  • xmlhttp.php
  • install/
    • resources/
      • mybb_theme.xml
  • archive/
    • index.php
  • admin/
    • inc/
      • functions_view_manager.php
    • modules/
      • forum/
        • management.php
      • style/
        • templates.php
      • tools/
        • adminlog.php
      • config/
        • plugins.php
        • spiders.php
      • user/
        • admin_permissions.php
        • users.php
  • inc/
    • class_core.php
    • class_language.php
    • class_moderation.php
    • functions.php
    • functions_search.php
    • plugins/
      • akismet.php
    • cachehandlers/
      • memcache.php
    • languages/
      • english.php
      • english/
        • global.lang.php
        • admin/
          • config_spiders.lang.php
    • datahandlers/
      • pm.php
      • post.php
      • user.php

* Red represents files that contain security updates
* Green represents new files added in this release

Bugs fixed since MyBB 1.4.6

  • #51407 – change permission for admin user
  • #51377 – Plugins with Admin CP Hooks run on Plugin Updates page
  • #51257 – Syndication.php MySQL Error (Limit Option) [R] [C-StefanT]
  • #51177 – [Archive] sticky lack htmlspecialchars_uni() escaping [C-StefanT]
  • #51054 – Archive – SQL bug fetching attachments/posts with abandoned thread [C-StefanT]
  • #50833 – Birthday without day [C-StefanT]
  • #50441 – Search Bug w/ “and” [R] [C-StefanT]
  • #50324 – Missing space character [R] [C-Michael S.]
  • #50323 – Missing </tr> in Template modcp_ipsearch_result [R] [C-Michael S.]
  • #50291 – Validation Issue [C-Chris W B.]
  • #50287 – Akismet plugin username link problem [C-StefanT]
  • #50240 – Ability to delete templates [C-Chris W B.]
  • #49888 – [typo] memcache.php [C-StefanT]
  • #49838 – [pgsql] Reporting posts in unmoderated forums [C-StefanT]
  • #49461 – [typo] inc/cachehandlers/memcache.php [C-StefanT]
  • #49898 – Template problem with announcements and no threads [C-StefanT]
  • #49276 – canviewthreads error problem [C-StefanT]
  • #49258 – Notification about new reported posts via PM [C-StefanT]
  • #49256 – Notification about new PM from MyBB Engine [R] [C-StefanT]
  • #49255 – [pgsql] Report posts [C-StefanT]
  • #49251 – [Typo] class_moderation.php (1.4.?) [R] [C-StefanT]
  • #49111 – Percent of total posts [R] [C-StefanT]
  • #48814 – config_spiders.lang.php overrides $lang->language [C-sayakb]
  • #48773 – Usergroup email limit off by one error [C-sayakb]
  • #48771 – Merged Account Reputation Issue
  • #48692 – announcement in password protected forum [C-sayakb]
  • #48670 – Find user posts – not displaying new posts (when hitting limit) [R]
  • #48668 – Displaying search results as posts for moderators [R] [C-StefanT]
  • #48603 – Bug? Admins cannot see user list
  • #48601 – [pgsql] SQL error if threads are moderated [C-StefanT]
  • #47745 – editpost.php issue with closed forums [R]

Theme and template changes

Using the “Find Updated” link under the “Templates” page in the Admin CP you can find a list of the templates that have changed in this release that you’ve got one or more custom copies of.

After identifying changed templates using the tool you can either revert your custom template to the default (delete it) or use the “diff” tool to perform a difference analysis on your custom template and the default.

“Revert required” indicates that for this template to work correctly with MyBB 1.4.8 you’ll either need to revert it to the default or modify your custom template to include the changes in the default. If a revert is not required your custom version of the template should work perfectly fine.

Template changes

Since MyBB 1.4.6 the following templates have had changes to them:

  • modcp_ipsearch_result
  • forumdisplay_announcements_announcement

* Red represents the template must be updated or reverted to fix security problems

Language file changes

Since MyBB 1.4.6 the following language files have had changes to them:

  • global.lang.php
  • admin/
    • config_spiders.lang.php

Either update your language packs to include the changes in these files or revert to the standard English language pack.

Plugins

Most of your MyBB 1.4.x plugins will work correctly with 1.4 without any updates.

MyBB 1.4.7 Released – Security Update

Posted on by

MyBB 1.4.7 is a security update to the MyBB 1.4 series. It fixes 1 high risk security vulnerability. We recommend everybody upgrades to this release immediately or patch their boards with the manual patching instructions below.

This vulnerability affects MyBB 1.4.6. MyBB 1.2 is not affected.

Thank you to Jesse Labrocca for alerting us of this vulnerability.

MyBB 1.4.6 to MyBB 1.4.7 Patch

This patch is only for users running MyBB 1.4.6. If you are running an older version of MyBB then please download MyBB 1.4.7 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

changed_files_1407.zip

If you wish to manually patch your board please download “mybb_1406_patches.txt” and follow the instructions in that file.

mybb_1406_patches.txt

Please Note: You do not have to run the upgrade script for this release.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

MyBB 1.2 is not affected.

Please note all users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.7) MyBB 1.2 is no longer being supported, though security updates for the MyBB 1.2 series will last through December 2009.