+--------------------------------------------------------------------------------+ | MyBB 1.1.0 to 1.1.1 Patch File | | (c) 2006 MyBB Group. | | | | This patch file fixes several security related issues in regards to MyBB 1.1.0 | | | | Please follow the instructions documented to manually patch your board | | to MyBB 1.1.1 | +--------------------------------------------------------------------------------+ ===================== 1. inc/init.php ===================== Find: -- error_reporting(E_ALL & ~E_NOTICE); -- ABOVE it add: -- if(strpos(strtolower($_SERVER['PHP_SELF']), "inc/init.php") !== false) { die("Direct initialization of this file is not allowed."); } -- ===================== 2. inc/functions.php ===================== Find: -- $mybboard['internalver'] = "1.1"; $mybboard['vercode'] = "100.12"; -- Replace with: -- $mybboard['internalver'] = "1.1.1"; $mybboard['vercode'] = "111"; -- ===================== 3. inc/functions_post.php ===================== Find: -- if($allowimgcode) { $message = preg_replace("#\[img\]([a-z]+?://){1}(.+?)\[/img\]#i", "\"\"", $message); $message = preg_replace("#\[img=([0-9]{1,3})x([0-9]{1,3})\]([a-z]+?://){1}(.+?)\[/img\]#i", "\"\"", $message); } -- Replace with: -- if($allowimgcode != "no") { $message = preg_replace("#\[img\](https?://([^<>\"']+?))\[/img\]#i", "\"\"", $message); $message = preg_replace("#\[img=([0-9]{1,3})x([0-9]{1,3})\](https?://([^<>\"']+?))\[/img\]#i", "\"\"", $message); } -- Find: -- if(preg_match("/^(.+)@[a-zA-Z0-9-]+\.[a-zA-Z0-9.-]+$/si", $email)) { return "".$name.""; } -- Replace it with: -- if(preg_match("/^([a-zA-Z0-9-_\+\.]+?)@[a-zA-Z0-9-]+\.[a-zA-Z0-9\.-]+$/si", $email)) { return "".$name.""; } else { return $name; } -- ===================== 4. attachment.php ===================== Find: -- header("Content-disposition: filename=$attachment[filename]"); if($mybb->input['thumbnail']) { $ext = getextention($attachment['thumbnail']); switch($ext) { case "gif": $type = "image/gif"; break; case "bmp": $type = "image/bmp"; break; case "png": $type = "image/png"; break; case "jpg": case "jpeg": case "jpe": $type = "image/jpeg"; break; default: $type = "image/unknown"; break; } header("Content-type: ".$type); $thumb = $settings['uploadspath']."/".$attachment['thumbnail']; header("Content-length: ".@filesize($thumb)); echo file_get_contents($thumb); } else { header("Content-type: $attachment[filetype]"); header("Content-length: $attachment[filesize]"); echo file_get_contents($settings['uploadspath']."/".$attachment['attachname']); } -- Replace with: -- if($mybb->input['thumbnail']) { $ext = getextention($attachment['thumbnail']); switch($ext) { case "gif": $type = "image/gif"; break; case "bmp": $type = "image/bmp"; break; case "png": $type = "image/png"; break; case "jpg": case "jpeg": case "jpe": $type = "image/jpeg"; break; default: $type = "image/unknown"; break; } header("Content-disposition: filename=$attachment[filename]"); header("Content-type: ".$type); $thumb = $settings['uploadspath']."/".$attachment['thumbnail']; header("Content-length: ".@filesize($thumb)); echo file_get_contents($thumb); } else { $ext = getextention($attachment['filename']); if($ext == "txt" || $ext == "htm" || $ext == "html") { header("Content-disposition: attachment; filename=$attachment[filename]"); } else { header("Content-disposition: inline; filename=$attachment[filename]"); } header("Content-type: $attachment[filetype]"); header("Content-length: $attachment[filesize]"); echo file_get_contents($settings['uploadspath']."/".$attachment['attachname']); } -- ===================== 5. global.php ===================== Find: -- // This is a temporary patch put in place until 1.2 is released. -- ABOVE it add: -- if(strpos(strtolower($_SERVER['PHP_SELF']), "global.php") !== false) { die("Direct initialization of this file is not allowed."); } -- ===================== 6. member.php ===================== Find: -- $plugins->run_hooks("member_login"); -- UNDER it add: -- $HTTP_REFERER = htmlentities($_SERVER['HTTP_REFERRER']); -- Find: -- if($mybb->input['url']) { redirect($mybb->input['url'], $lang->redirect_loggedin); } -- Replace with: -- if($mybb->input['url']) { redirect(htmlentities($mybb->input['url']), $lang->redirect_loggedin); } -- ===================== 7. newreply.php ===================== Find: -- elseif($mybb->input['previewpost']) { $username = $mybb->input['username']; } -- Replace with: -- elseif($mybb->input['previewpost']) { $username = htmlspecialchars_uni($mybb->input['username']); } -- Find: -- if(!$mybb->user['uid'] || !$post['username']) { $post['username'] = $mybb->input['username']; } -- Replace with: -- if(!$mybb->user['uid'] || !$post['username']) { $post['username'] = htmlspecialchars_uni($mybb->input['username']); } -- ===================== 8. newthread.php ===================== Find: -- else { $username = $mybb->input['username']; } eval("\$loginbox = \"".$templates->get("loginbox")."\";"); -- Replace with: -- else { $username = htmlspecialchars_uni($mybb->input['username']); } eval("\$loginbox = \"".$templates->get("loginbox")."\";"); -- Find: -- if(!$mybb->user['uid'] || !$post['username']) { $post['username'] = $mybb->input['username']; } -- Replace with: -- if(!$mybb->user['uid'] || !$post['username']) { $post['username'] = htmlspecialchars_uni($mybb->input['username']); } -- ===================== 9. usercp.php ===================== Find: -- eval("\$editsig = \"".$templates->get("usercp_editsig")."\";"); -- ABOVE it add: -- $sig = htmlspecialchars_uni($sig); -- ===================== DONE =====================