MyBB

***Chris Boulton*** · 04-14-2006, 01:29 AM

MyBB 1.1.1 is a security update to the MyBB 1.x series. It fixes several moderate-low risk cross site scripting exploits which have recently been found and published in MyBB. It also fixes a potentially larger security issue on some installations.

We recommend all users upgrade their copy of MyBB to the latest available release.

Fixed vulnerabilities:

Fixes direct initialization of global.php and inc/init.php which could lead to security vulnerabilities (imei Web Security)
Possible cross site scripting through unproper sanitisation of [img] tags (imei Web Security)
Possible cross site scripting through login redirection URL (imei Web Security)
Possible cross site scripting through unproper sanitization of [email] tags (Devil-00)
Possible cross site scripting through signature preview page (Roozbeh Afrasiabi)
Possible cross site scripting through guest usernames when posting (Devil-00)
Possible cross site scripting through attachment content disposition for HTML attachments (WhiteAcid)

The release on the MyBB site has also been updated to 1.1.1.

Update instructions are in the next post, including a list of changed files (and a ZIP archive of them) as well as manual patching instructions for those of you who have customized their code.

MyBB Group

***Chris Boulton*** · (This post was last modified: 04-15-2006 03:53 AM by Chris Boulton.)

Updating from 1.1.0 Using Changed Files (Recommended)

Download the attached "mybb_111_changed_files.zip" from this post.
Upload the contents of it to your forums in the corresponding folders.
Check your Admin CP to confirm you are running 1.1.1

Updating from 1.1.0 Manually

Download the attached "mybb_111_patch.txt" from this post.
Follow the manual patch instructions in the file replacing or adding code where necessary and uploading the files back up to your web site.

Updating from Previous Releases
Download the latest release from the MyBB web site and follow the general upgrade procedure. (Found in docs/upgrade.html)

Changed Files

inc/init.php
inc/functions.php
inc/functions_post.php
attachment.php
global.php
member.php
newreply.php
newthread.php
usercp.php

***Chris Boulton*** · 04-14-2006, 01:39 AM

You may discuss this announcement here: http://community.mybboard.net/showthread.php?tid=8233

***Chris Boulton*** · (This post was last modified: 04-14-2006 03:19 AM by Chris Boulton.)

To those of you who had applied this update before this post, please make the following changes to functions_post.php

Find:

Code:

if(preg_match("/^(.+)@[a-zA-Z0-9-]+\.[a-zA-Z0-9.-]+$/si", $email))

Replace it with:

Code:

if(preg_match("/^([a-zA-Z0-9-_\+\.]+?)@[a-zA-Z0-9-]+\.[a-zA-Z0-9\.-]+$/si", $email))

This will fix the possible cross site scripting with the [email] tags which for some reason, the replacement code was still the same as the original.

You may also use the attached functions_post.php as a replacement copy.

The MyBB download and manual patch instructions as well as changed files have been updated to refelct this.

***Chris Boulton*** · (This post was last modified: 04-15-2006 06:21 AM by Chris Boulton.)

If you applied this patch before 3:20am Saturday 15 April (GMT), there have been a few small issues reported regarding this patch and functionality.

- [img] tags may no longer work correctly
- [img=wxh] tags my no longer work correctly
- "Allow [img] Code" setting no longer works for MyCode
- Thruth tricky URL modification it is possible to change the $_SERVER variable thus making one of the patches we had in place useless.

Thanks to both DCoder and once again our friend imei for making me aware of this.

To fix this yourselves you can either download the patched files attached below or make the following changes yourself:

global.php

Find:

Code:

if(strpos(strtolower($_SERVER['PHP_SELF']), "global.php") !== false)

{

    die("Direct initialization of this file is not allowed.");

}

MOVE it to ABOVE:

Code:

// This is a temporary patch put in place until 1.2 is released.

inc/functions_post.php:

Find:

Code:

    if($allowimgcode)

    {

        $message = preg_replace("#\[img\](https?://([^<>\"']+))\[/img\]#i", "<img src=\"$1\" border=\"0\" alt=\"\" />", $message);

        $message = preg_replace("#\[img=([0-9]{1,3})x([0-9]{1,3})\](https?://([^<>\"']+))\[/img\]#i", "<img src=\"$3\" style=\"border: 0; width: $1px; height: $2px;\" alt=\"\" />", $message);

    }

REPLACE it with:

Code:

    if($allowimgcode != "no")

    {

        $message = preg_replace("#\[img\](https?://([^<>\"']+?))\[/img\]#i", "<img src=\"$1\" border=\"0\" alt=\"\" />", $message);

        $message = preg_replace("#\[img=([0-9]{1,3})x([0-9]{1,3})\](https?://([^<>\"']+?))\[/img\]#i", "<img src=\"$3\" style=\"border: 0; width: $1px; height: $2px;\" alt=\"\" />", $message);

    }

The download on the MyBB site has also been updated.