MyBB 1.4.5 Released - Maintenance & Security Release

[Ryan Gordon]

MyBB 1.4.5 is now available on the MyBB website and is a general maintenance and security release.

This release fixes over 100 reported issues with version released since 1.4.4 causing some incorrect functionality of MyBB. These bugs have been fixed to provide a more stable version of MyBB for public use.

What's added/changed in this version?

• One Low XSS Vulnerability fixed in the ACP - This is tagged as low because it requires administrator permissions. This vulnerability was discovered and reported by ketto93.
• Several Low CSRF vulnerabilities fixed in the ACP - These are all low priority because they require extremely rare circumstances and cannot compromise any information. They are only useful in assisting a DDOS attack. These vulnerability were found and fixed internally.
• A minor weakness in an algorithm we use for generating a post key was fixed - This is low priority because it requires extensive computing power to even be a problem. This weakness was discovered and reported by frostschutz.
• Commas have not been allowed in usernames since MyBB 1.4. They are forcefully removed during the upgrade procedure for MyBB 1.4.5 to ensure compliance and to fix a reported issue. Please inform your users with commas in their usernames of this change.
• Lots of speed and stability improvements previously affecting large forums.
• ... Lots of other bug fixes
  

This release has been tested by our new Software Quality Assurance group and through a private beta test performed by members of the community. We thank you for making this a fine and stable release.

Information on upgrading, template changes and language changes can be found in the posts below.

Please note, that you need to run the upgrade script for this version.
This is so the templates may be updated.
There are database schema changes in this version.

Reporting MyBB security vulnerabilities
If you think you've found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we've had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

[Ryan Gordon]

MyBB 1.2.14 Patch
The above reported vulnerabilities/weaknesses do not affect MyBB 1.2.

[Ryan Gordon]

Upgrading from the 1.4 series
When upgrading from 1.4.4, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files here:

  mybb_1405_changed_files.zip (Size: 761.02 KB / Downloads: 1610)

You must then check for modified templates using the instructions in the next post.

Upgrading from other versions
If you are upgrading from a version earlier than 1.2 then you will lose your custom themes, templates and language packs due to the number of changes between your version and the 1.2 series.

Before you attempt to upgrade, ensure you have a database backup and a copy of the files currently in use on your board. This is so you can revert back to your earlier version if you need to or something goes horribly wrong with the upgrade process.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process.

Changed files since MyBB 1.4.4

• admin/
  • inc/
    • class_form.php
    • class_page.php
    • functions.php
    • functions_themes.php
      
  • modules/
    • config/
      • mod_tools.php
      • mycode.php
      • plugins.php
      • settings.php
        
    • forum/
      • announcements.php
      • attachments.php
      • management.php
        
    • home/
      • credits.php
        
    • style/
      • templates.php
      • themes.php
        
    • tools/
      • backupdb.php
      • cache.php
      • tasks.php
        
    • user/
      • banning.php
      • group_promotions.php
      • groups.php
      • titles.php
      • users.php
        
  • index.php
    
• archive/
  • global.php
    
• inc/
  • 3rdparty/
    • diff/
      • Diff/
        • Engine/
          • index.html
          • native.php
          • string.php
          • xdiff.php
            
        • Renderer
          • index.html
          • inline.php
          • unified.php
            
        • index.html
        • Renderer.php
          
      • Diff.php
      • Diff3.php
        
    • index.html
      
  • cachehandlers/
    • disk.php
    • eaccelerator.php
    • memcache.php
    • xcache.php
      
  • datahandlers/
    • post.php
    • user.php
      
  • languages/
    • english/
      • admin/
        • global.lang.php
        • home_credits.lang.php
        • style_templates.lang.php
        • user_group_promotions.lang.php
          
      • calendar.lang.php
      • customhelpdocs.lang.php
      • customhelpsections.lang.php
      • datahandler_event.lang.php
      • global.lang.php
      • moderation.lang.php
      • online.lang.php
      • warnings.lang.php
        
    • english.php
      
  • mailhandlers/
    • smtp.php
      
  • plugins/
    • akismet.php
      
  • tasks/
    • backupdb.php
    • checktables.php
    • massmail.php
      
  • class_core.php
  • class_custommoderation.php
  • class_datacache.php
  • class_mailhandler.php
  • class_moderation.php
  • class_parser.php
  • class_session.php
  • db_mysql.php
  • db_mysqli.php
  • db_pgsql.php
  • db_sqlite2.php
  • db_sqlite3.php
  • functions.php
  • functions_compat.php
  • functions_forumlist.php
  • functions_indicators.php
  • functions_massmail.php
  • functions_online.php
  • functions_post.php
  • functions_task.php
  • functions_upload.php
  • functions_user.php
  • init.php
    
• install/
  • resources/
    • mybb_theme.xml
    • upgrade15.php
    • pg_db_tables.php
    • settings.xml
    • upgrade1.php
    • upgrade13.php
    • upgrade14.php
    • upgrade2.php
    • upgrade3.php
    • upgrade5.php
    • upgrade8.php
      
  • index.php
  • upgrade.php
    
• jscripts/
  • general.js
  • popup_menu.js
  • prototype.uncompressed.js
  • thread.js
  • usercp.js
  • validator.js
    
• calendar.php
• forumdisplay.php
• global.php
• htaccess.txt
• index.php
• member.php
• memberlist.php
• modcp.php
• moderation.php
• newreply.php
• newthread.php
• online.php
• portal.php
• printthread.php
• private.php
• report.php
• search.php
• showteam.php
• showthread.php
• syndication.php
• task.php
• usercp.php
• warnings.php
  

* Orange represents files that contain low security updates
* Green represents new files added in this release

Bugs fixed since MyBB 1.4.4

• #47849 - WOL Innacuracies [C-Imad Jomaa]
• #47667 - Custom Profile fields - possible XSS?
• #47362 - Warnings not deleted when member deleted [C-Michael83]
• #47269 - Orphaned attachment deletion [C-Imad Jomaa]
• #46986 - Server load reported as Unknown when 0.00 [C-Imad Jomaa]
• #46540 - portal.php links to guest user profiles [C-Michael83]
• #46492 - /me bug in PM [R] [C-Chris]
• #46386 - [WOL] Unknown location [C-Chris]
• #46326 - Logged In ACP Users [R] [C-Michael83]
• #46302 - Template search issue [C-Michael83]
• #46210 - Missing images after merging posts [R] [C-Michael83]
• #46030 - Archive - bug with non-numeric $page [C-Chris]
• #45969 - Search flooding, wait 0 seconds ??? [R] [C-Imad Jomaa]
• #45959 - Error adding Warn Points.
• #45932 - PHP Mail() Umlaut problem [C-Imad Jomaa]
• #45872 - Promotions requirements order
• #45861 - htaccess.txt RewriteRule [R] [C-Chris]
• #45710 - Forum subscription and permission
• #45656 - Thread mode and multipage [C-Chris]
• #45229 - [PMs] Icons [R] [C-Michael83]
• #45162 - Admin banned by Akismet
• #45123 - global.php: clearing all guest sessions on guest with banned ip [C-Michael83]
• #45103 - Extra @ in valid email [R] [C-Chris]
• #45063 - RE: Poll delete redirection text missing [C-Chris]
• #44946 - Edit ban by Akismet [C-Michael83]
• #44791 - Error if you just enter a space character into the search field [C-D-r-a-g-o-n]
• #44781 - Warnings Expire - Points Not Removed [C-Michael83]
• #44618 - Themes Class/Style Differences [C-Michael83]
• #44483 - Theme count[Admin CP] [C-Michael83]
• #44442 - Reply count when unapproved thread is edited [C-Rcpalace]
• #44331 - [ACP] PM alert setting in user settings [C-Chris]
• #44246 - Spare semi-colon in memberlist.php [C-Chris]
• #44243 - Strange code in newreply.php [C-Imad Jomaa]
• #44113 - Escaped Quotes in Away Reason [R] [C-Chris]
• #44091 - Warning System - Ban time 1 Year [R] [C-Chris]
• #44056 - banning.php typo [C-Chris]
• #43930 - Akismet - Deleting spam threads in ACP [C-Michael83]
• #43915 - Forum counters out of sync after moving and approving a thread [C-Chris]
• #43910 - SQL Error when creating Calendar Event for Single day!
• #43774 - [Askimet] Delete selected messages [C-Michael83]
• #43773 - [ACP] Weekdays select box in task manager [R] [C-Chris]
• #43668 - Mass PM stops on bad username
• #43658 - canviewthreads and forum list [C-Michael83]
• #43610 - Banned by Akismet issue [C-Michael83]
• #43423 - Birthday's extra comma [C-Chris]
• #43322 - AdminCP login styling [C-Michael83]
• #43262 - Post icons in thread subscriptions [R] [C-Michael83]
• #43237 - MailHandler::utf8_encode() breaks multibyte characters
• #43232 - Users cannot view threads when permission "Can Post Threads?" is unchecked. [C-Chris]
• #43210 - [Mod-CP] Lift ban link not working [C-Chris]
• #43185 - threads get listed multiple times after beeing moved
• #43158 - canviewthreads and private forums on forumlist [C-Michael83]
• #42997 - Akismet broken [C-Michael83] [C-Chris]
• #42955 - Member List Sorting by Post Count [C-Michael83]
• #43203 - [split] Moderator Tools / Thread Tool / New Reply Subject [C-Michael83]
• #42922 - Moderator Tools / Thread Tool / New Reply Subject [C-Michael83]
• #42890 - Forum not shown in list on moderation.php if forum not shown in jump menu [C-Michael83]
• #42856 - Printthread doesn't show unapproved posts [C-Michael83]
• #42842 - Cannot unsubscribe from deleted forum [C-Michael83]
• #42836 - Mass Mail replacements [C-Michael83]
• #42745 - Join request remains forever upon user deletion [C-Michael83]
• #42721 - Unapproved post moved, later approved, link remains unapproved [R]
• #42706 - functions_online.php: $themes -> $theme [C-Michael83]
• #42705 - Buddylist: Adding user with a "+" in his username [C-Michael83]
• #42545 - [Small Bug] Usertitle star-image [R] [C-Michael83]
• #42527 - Advanced Permissions error in SQLite [C-Michael83]
• #42526 - SQL error when updating profiles in SQLite [C-Michael83]
• #42464 - Tables Check task SQL error in SQLite [C-Michael83]
• #42414 - On/Off Status in SQLite [C-Michael83]
• #42407 - ACP Preferences in SQLite [C-Michael83]
• #42362 - Warning Language Error? [C-Michael83]
• #42332 - Who's Online - Internal SQL Error [C-Michael83]
• #42281 - Highlighted text moves to the right [R] [C-Chris]
• #42260 - [PostgreSQL] Attachments Statistics in admin cp (new error) [R] [C-Michael83]
• #42225 - Small mistake in functions_upload.php [C-Chris]
• #42188 - PM: usernames missing in message list [C-Michael83]
• #42182 - seo setting [C-Chris]
• #42142 - Merged Users and Reputation [R] [C-Chris]
• #42112 - [PostgreSQL]Failure in portal.php [C-Michael83]
• #42079 - Google Chrome Issues [C-Rcpalace]
• #42053 - Who's online counter
• #41942 - "Log Posting IP Addresses" in adminCP [C-Chris]
• #41924 - private_read - functions_online [C-Chris]
• #41825 - Usergroup permissions: Attachments and PMs [C-Chris]
• #41809 - Typo in profile. [C-Chris]
• #41791 - Admin IP search [C-Rcpalace]
• #41759 - my_substr(): Problem with umlauts [C-Imad Jomaa]
• #41755 - XSS Possibility when you posting a new announcement [C-Chris]
• #41752 - Start and endtime of announcements [C-Chris]
• #41751 - Umlauts in links [C-Imad Jomaa]
• #41713 - Guest posting bug [R] [C-Michael83]
• #41697 - ACP Plugin Update Link Incorrect [C-Chris]
• #41689 - Custom Profile Fields Uneditable [C-Michael83]
• #41681 - upgrade.php wrong syntax [C-Chris]
• #41620 - [PostgreSQL] Attachments Statistics in admin cp [C-Michael83]
• #41616 - Concat not defined in PostgreSQL [C-Michael83]
• #41607 - [PostgreSQL] Warn User [C-Chris]
• #41604 - [PostgreSQL] Export Private Messages [C-Chris]
• #41565 - [PostgreSQL] Registration Error [C-Chris]
• #41499 - Bug with lookback assersions on specific PCRE version
• #41402 - username check (bug) with non-english usernames [C-Chris]
• #41396 - Checkbox settings don't work [C-Chris]
• #41302 - submitting a calendar event - bad timestamp type in SQL query [C-Chris]
• #41251 - MyBB upgrade 1.4.3 -> 1.4.4 - problems with PostgreSQL
• #41204 - "Reply to all" error [C-Chris]
• #41203 - JS Suggested Fix | PopupMenu positioning [C-Michael83]
• #41196 - Settinggroups and isdefault yesno [C-Michael83]
• #41149 - MyBB 1.4.[3,4]: Bad PostgreSQL database logging [C-Michael83]
• #41086 - CAPTCHA login protection bug [R] [C-Rcpalace]
• #41207 - [Fix] Empty data after parse_message()
• #41238 - Empty postings in 1.4.4
• #40936 - Missing subject when splitting posts [C-Chris]
• #40935 - Template search_results_threads: Wrong colspan value [C-Michael83]
• #40908 - Links given in email and PM via reported post [C-Michael83]
• #40737 - Thread rating: Number of stars [R] [C-Michael83]
• #38515 - [WOL] - "Viewing No Permissions Page" not shown [C-Michael83]
• #38084 - SMTP error / umlaut problem [C-Michael83]
• #35048 - Upgrade 1.1.8 -> 1.4 (problems in upgrade5.php) [R] [C-Michael83]
  

[Ryan Gordon]

Theme and template changes
Using the "Find Updated" link under the "Templates" page in the Admin CP you can find a list of the templates that have changed in this release that you've got one or more custom copies of.

After identifying changed templates using the tool you can either revert your custom template to the default (delete it) or use the "diff" tool to perform a difference analysis on your custom template and the default.

"Revert required" indicates that for this template to work correctly with MyBB 1.4.5 you'll either need to revert it to the default or modify your custom template to include the changes in the default. If a revert is not required your custom version of the template should work perfectly fine.

Template changes
Since MyBB 1.4.4 the following templates have had changes to them:

• modcp_modlogs
• modcp_ipsearch
• footer
• memberlist_search
• post_attachments_attachment_postinsert
• portal_announcement
• search_results_threads
• private_read
• member_register
• calendar_dayview
• xmlhttp_buddyselect
• modcp_finduser
• modcp_warninglogs
• modcp_announcements_new
• modcp_announcements_edit
• search_results_posts_inlinemoderation
  

* Red represents the template must be updated or reverted to fix security problems

Language file changes
Since MyBB 1.4.4 the following language files have had changes to them:

• calendar.lang.php
• customhelpdocs.lang.php
• customhelpsections.lang.php
• datahandler_event.lang.php
• global.lang.php
• moderation.lang.php
• online.lang.php
• warnings.lang.php
• admin/
  • global.lang.php
  • home_credits.lang.php
  • style_templates.lang.php
  • user_group_promotions.lang.php
    

Either update your language packs to include the changes in these files or revert to the standard English language pack.

Plugins
Most of your MyBB 1.4.x plugins will work correctly with 1.4 without any updates.

[Ryan Gordon]

Discuss this announcement