+--------------------------------------------------------------------------------+
| MyBB 1.1.0 to 1.1.1 Patch File |
| (c) 2006 MyBB Group. |
| |
| This patch file fixes several security related issues in regards to MyBB 1.1.0 |
| |
| Please follow the instructions documented to manually patch your board |
| to MyBB 1.1.1 |
+--------------------------------------------------------------------------------+
=====================
1. inc/init.php
=====================
Find:
--
error_reporting(E_ALL & ~E_NOTICE);
--
ABOVE it add:
--
if(strpos(strtolower($_SERVER['PHP_SELF']), "inc/init.php") !== false)
{
die("Direct initialization of this file is not allowed.");
}
--
=====================
2. inc/functions.php
=====================
Find:
--
$mybboard['internalver'] = "1.1";
$mybboard['vercode'] = "100.12";
--
Replace with:
--
$mybboard['internalver'] = "1.1.1";
$mybboard['vercode'] = "111";
--
=====================
3. inc/functions_post.php
=====================
Find:
--
if($allowimgcode)
{
$message = preg_replace("#\[img\]([a-z]+?://){1}(.+?)\[/img\]#i", "", $message);
$message = preg_replace("#\[img=([0-9]{1,3})x([0-9]{1,3})\]([a-z]+?://){1}(.+?)\[/img\]#i", "", $message);
}
--
Replace with:
--
if($allowimgcode != "no")
{
$message = preg_replace("#\[img\](https?://([^<>\"']+?))\[/img\]#i", "", $message);
$message = preg_replace("#\[img=([0-9]{1,3})x([0-9]{1,3})\](https?://([^<>\"']+?))\[/img\]#i", "", $message);
}
--
Find:
--
if(preg_match("/^(.+)@[a-zA-Z0-9-]+\.[a-zA-Z0-9.-]+$/si", $email))
{
return "".$name."";
}
--
Replace it with:
--
if(preg_match("/^([a-zA-Z0-9-_\+\.]+?)@[a-zA-Z0-9-]+\.[a-zA-Z0-9\.-]+$/si", $email)) {
return "".$name."";
}
else
{
return $name;
}
--
=====================
4. attachment.php
=====================
Find:
--
header("Content-disposition: filename=$attachment[filename]");
if($mybb->input['thumbnail'])
{
$ext = getextention($attachment['thumbnail']);
switch($ext)
{
case "gif":
$type = "image/gif";
break;
case "bmp":
$type = "image/bmp";
break;
case "png":
$type = "image/png";
break;
case "jpg":
case "jpeg":
case "jpe":
$type = "image/jpeg";
break;
default:
$type = "image/unknown";
break;
}
header("Content-type: ".$type);
$thumb = $settings['uploadspath']."/".$attachment['thumbnail'];
header("Content-length: ".@filesize($thumb));
echo file_get_contents($thumb);
}
else
{
header("Content-type: $attachment[filetype]");
header("Content-length: $attachment[filesize]");
echo file_get_contents($settings['uploadspath']."/".$attachment['attachname']);
}
--
Replace with:
--
if($mybb->input['thumbnail'])
{
$ext = getextention($attachment['thumbnail']);
switch($ext)
{
case "gif":
$type = "image/gif";
break;
case "bmp":
$type = "image/bmp";
break;
case "png":
$type = "image/png";
break;
case "jpg":
case "jpeg":
case "jpe":
$type = "image/jpeg";
break;
default:
$type = "image/unknown";
break;
}
header("Content-disposition: filename=$attachment[filename]");
header("Content-type: ".$type);
$thumb = $settings['uploadspath']."/".$attachment['thumbnail'];
header("Content-length: ".@filesize($thumb));
echo file_get_contents($thumb);
}
else
{
$ext = getextention($attachment['filename']);
if($ext == "txt" || $ext == "htm" || $ext == "html")
{
header("Content-disposition: attachment; filename=$attachment[filename]");
}
else
{
header("Content-disposition: inline; filename=$attachment[filename]");
}
header("Content-type: $attachment[filetype]");
header("Content-length: $attachment[filesize]");
echo file_get_contents($settings['uploadspath']."/".$attachment['attachname']);
}
--
=====================
5. global.php
=====================
Find:
--
// This is a temporary patch put in place until 1.2 is released.
--
ABOVE it add:
--
if(strpos(strtolower($_SERVER['PHP_SELF']), "global.php") !== false)
{
die("Direct initialization of this file is not allowed.");
}
--
=====================
6. member.php
=====================
Find:
--
$plugins->run_hooks("member_login");
--
UNDER it add:
--
$HTTP_REFERER = htmlentities($_SERVER['HTTP_REFERRER']);
--
Find:
--
if($mybb->input['url'])
{
redirect($mybb->input['url'], $lang->redirect_loggedin);
}
--
Replace with:
--
if($mybb->input['url'])
{
redirect(htmlentities($mybb->input['url']), $lang->redirect_loggedin);
}
--
=====================
7. newreply.php
=====================
Find:
--
elseif($mybb->input['previewpost'])
{
$username = $mybb->input['username'];
}
--
Replace with:
--
elseif($mybb->input['previewpost'])
{
$username = htmlspecialchars_uni($mybb->input['username']);
}
--
Find:
--
if(!$mybb->user['uid'] || !$post['username'])
{
$post['username'] = $mybb->input['username'];
}
--
Replace with:
--
if(!$mybb->user['uid'] || !$post['username'])
{
$post['username'] = htmlspecialchars_uni($mybb->input['username']);
}
--
=====================
8. newthread.php
=====================
Find:
--
else
{
$username = $mybb->input['username'];
}
eval("\$loginbox = \"".$templates->get("loginbox")."\";");
--
Replace with:
--
else
{
$username = htmlspecialchars_uni($mybb->input['username']);
}
eval("\$loginbox = \"".$templates->get("loginbox")."\";");
--
Find:
--
if(!$mybb->user['uid'] || !$post['username'])
{
$post['username'] = $mybb->input['username'];
}
--
Replace with:
--
if(!$mybb->user['uid'] || !$post['username'])
{
$post['username'] = htmlspecialchars_uni($mybb->input['username']);
}
--
=====================
9. usercp.php
=====================
Find:
--
eval("\$editsig = \"".$templates->get("usercp_editsig")."\";");
--
ABOVE it add:
--
$sig = htmlspecialchars_uni($sig);
--
=====================
DONE
=====================