MyBB Community Forums

MyBB 1.2.12 is a security update to MyBB 1.2 fixing a HIGH SQL Injection and MEDIUM XSRF vulnerabilities. Because of the amount of changes in this release we've decided to go ahead and include fixes for some outstanding bugs. We recommend everybody upgrades to this release immediately.

This security update fixes:

• [HIGH RISK] SQL Injection vulnerability in inc/datahandlers/pm.php
  
• [MEDIUM RISK] XSRF vulnerabilities in various files (Note: Most require the user to have a moderator account)
  

These vulnerabilities affect MyBB 1.2.11 and previous releases of MyBB 1.2. Older versions of MyBB may also be affected.

MyBB 1.2.11 to MyBB 1.2.12 Patch
This patch is only for users running MyBB 1.2.11. If you are running any other version of the MyBB 1.2 series then please download MyBB 1.2.12 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

[attachment=8467]

Information on upgrading, template changes and language changes can be found in the posts below.

Please note, that you need to run the upgrade script for this version. This is so the templates may be updated.
There are no database schema changes in this version.


Reporting MyBB security vulnerabilities
If you think you've found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we've had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Upgrading from the 1.2 series
When upgrading from 1.2, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead) guide outlined on the MyBB Wiki to complete the upgrade process.

Upgrading from other versions
If you are upgrading from a version earlier than 1.2 then you will lose your custom themes, templates and language packs due to the number of changes between your version and the 1.2 series.

Before you attempt to upgrade, ensure you have a database backup and a copy of the files currently in use on your board. This is so you can revert back to your earlier version if you need to or something goes horribly wrong with the upgrade process.

Follow the general [Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead) guide outlined on the MyBB Wiki to complete the upgrade process.

Changed files since MyBB 1.2.10

• admin/
  • usergroups.php
    

• inc/
  • class_core.php
    
  • class_moderation.php
    
  • class_session.php
    
  • functions.php
    
  • functions_upload.php
    
  • datahandlers/
    • pm.php
      
  • languages/
    • english.php
      
    • english/
      • global.lang.php
        

• install/
  • resources/
    • mybb_theme.xml
      
    • upgrade11.php
      

• jscripts/
  • thread.js
    
  • general.js
    
• polls.php
  
• editpost.php
  
• global.php
  
• search.php
  
• managegroup.php
  
• member.php
  
• report.php
  
• sendthread.php
  
• reputation.php
  
• stats.php
  
• usercp.php
  
• moderation.php
  
• newreply.php
  
• calendar.php
  
• private.php
  
• forumdisplay.php
  
• newthread.php
  
• ratethread.php
  
• xmlhttp.php
  

Red denotes the file has changes for the exploits and must be updated.
Green denotes the file is new

Bugs fixed since MyBB 1.2.10

• #19854 - Replying to a PM
  
• #26121 - Saving Draft
  
• #26138 - Smilies
  
• #26218 - disable/modify stats.php
  
• #26275 - Mass PM error
  
• #26366 - Error when trying to delete polls.
  
• #26422 - Wrong age shown in profile
  
• #26494 - Forum password problems
  
• #26673 - potential error in group permissions setting
  
• #26674 - [split] cannot logout bug with sid
  
• #26682 - small bug in editor.js
  
• #26752 - Typo [ usercp.php ]
  
• #26817 - blank page whene you export your pm's in .txt file
  
• #26846 - If no avatars exist in the default directory...
  
• #26861 - add a thread together
  

Theme and template changes
There is no need to use the "Find Updated" tool for this release. Because the only template changes are security fixes, the upgrader automatically applies the changes.

Language file changes
Since MyBB 1.2.10 the following language files have had changes to them:

• global.lang.php
  

Either update your language packs to include the changes in these files or revert to the standard English language pack.

Plugins
Most of your MyBB 1.2.x plugins will work correctly with 1.2.12 without any updates.