MyBB 1.6.2 and 1.4.15 – Security Update

MyBB 1.6.2 is a security update to the 1.6 series. It fixes 2 medium risk security vulnerabilities and one low risk issue. We recommend everybody upgrades to this release as soon as possible – or patch their boards with the manual instructions below.
MyBB 1.4.15 is also a security update to the 1.4 series which is affected by the same vulnerabilities.
Thank you to MustLive (Websecurity), MattRogowski and Max Roth for alerting us of these issues.
What’s fixed in this version?

• Issue #1464
• Issue #1460

The medium-risk issue reported by Max Roth requires HTML in posts to be enabled in a forum. This issue was fixed as part of Issue #1422. Even if you don’t have HTML enabled in posts, it is still recommended to update to resolve this issue.
MyBB 1.6.1 to MyBB 1.6.2 Patch

This patch is only for users running MyBB 1.6.1. If you are running an older version of MyBB then please download MyBB 1.6.2 from the MyBB site and update to it.
Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
This update does not require running the upgrader.
The following files have changed since the initial 1.6.1 release:

• admin
  • modules
    • tools
      • modlog.php
• inc
  • class_core.php
  • class_parser.php
• jscripts
  • validator.js
• member.php
• modcp.php
• xmlhttp.php

* Red represents files that contain security updates
* Green represents new files added in this release
changed_files_1602.zip
If you wish to manually patch your board please download “mybb_1601_patches.txt” and follow the instructions in that file.
mybb_1601_patches.txt
MyBB 1.4.14 to MyBB 1.4.15 Patch

This patch is only for users running MyBB 1.4.14 who have updated their forum when 1.6.1 and 1.4.14 Update was released. If you have not made these updates or are unsure whether you have – and you don’t want to upgrade to 1.6 – then please download 1.4.15 from the MyBB site and update to it.
mybb_1414_patches.txt
To ensure users of the 1.4 series have all the recent security updates the following changed files package contains updates since 1.4.13. The changes to files are mentioned below. If you are still using the 1.4 series, then please make sure that all these files have been updated to keep your forum secure (either by updating to 1.4.15, uploading the changed files package, finding differences using a file difference tool or patches from blog posts).
It is heavily recommended that you upgrade to 1.6.

• admin
  • modules
    • tools
      • modlog.php
• inc
  • datahandlers
    • post.php
  • class_core.php
  • class_parser.php
  • functions.php
  • functions_search.php
• jscripts
  • validator.js
• attachment.php
• editpost.php
• forumdisplay.php
• member.php
• modcp.php
• newreply.php
• syndication.php
• xmlhttp.php

* Red represents files that contain security updates
* Green represents new files added in this release
changed_files_1415.zip
Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page.
Thank you,
MyBB Team


Continue reading...