+--------------------------------------------------------------------------------+ | MyBB 1.2.11 - Security Update Patch File | | (c) 2008 MyBB Group. | | | | This patch file fixes some high and medium risk issues in MyBB 1.2.10 | | | | Please follow the instructions documented to manually patch your board. | +--------------------------------------------------------------------------------+ =============== 1. forumdisplay.php =============== Find: -- $sortfield = "t.lastpost"; -- Replace with: -- $sortfield = "t.lastpost"; $sortby = "lastpost"; -- =============== 2. search.php =============== Find: -- if($search['resulttype'] == "threads") { $sortfield = "t.lastpost"; } else { $sortfield = "p.dateline"; } -- Replace with: -- if($search['resulttype'] == "threads") { $sortfield = "t.lastpost"; } else { $sortfield = "p.dateline"; } $sortby = 'lastpost'; -- =============== 3. moderation.php =============== -- Find: -- case "allreports": if(is_moderator() != "yes") { error_no_permission(); } -- Replace with: -- case "allreports": if(is_moderator() != "yes") { error_no_permission(); } $mybb->input['rid'] = intval($mybb->input['rid']); - Find: -- $threadlist = explode("|", $mybb->input['threads']); foreach($threadlist as $tid) { $tids[] = $tid; } -- Replace with: -- $threadlist = explode("|", $mybb->input['threads']); foreach($threadlist as $tid) { $tids[] = intval($tid); } -- =============== 4. admin/usergroups.php =============== Find: -- $uids = implode(",", $uidin); $db->query("DELETE FROM ".TABLE_PREFIX."joinrequests WHERE uid IN($uids) AND gid='{$mybb->input['gid']}'"); -- Replace with: -- $uids = implode(",", array_map("intval", $uidin)); $db->query("DELETE FROM ".TABLE_PREFIX."joinrequests WHERE uid IN($uids) AND gid='".intval($mybb->input['gid'])."'"); -- =============== 5. inc/class_core.php (Version number change) =============== Find: -- /** * The friendly version number of MyBB we're running. * * @var string */ var $version = "1.2.10"; /** * The version code of MyBB we're running. * * @var integer */ var $version_code = 1210; -- Replace with: -- /** * The friendly version number of MyBB we're running. * * @var string */ var $version = "1.2.11"; /** * The version code of MyBB we're running. * * @var integer */ var $version_code = 1211; -- =============== 6. inc/class_moderation.php =============== Find: -- $pidin = implode(",", $pids); -- Replace with: -- $pidin = implode(",", array_map("intval", $pids)); -- ALL DONE