MyBB 1.2.9 Released - Important Security Update
MyBB 1.2.9 is a security update to the MyBB 1.2 series. It fixes a HIGH risk vulnerability just internally discovered in MyBB. We recommend everybody upgrades to this release as soon as possible or patches their boards with the manual patching instructions below.

We recommend all users upgrade their copy of MyBB to the latest available release. There is no proof of concept for this vulnerability available but there have been several attempts to use it against our official community forums.

This vulnerability allows a malicious user to perform arbitrary code execution within MyBB.

Immediately we're releasing a new version of MyBB which patches this exploit (MyBB 1.2.9). MyBB 1.1.8 is also affected.

MyBB 1.2.8 to MyBB 1.2.9 Patch
This patch is only for users running MyBB 1.2.8. If you are running any other version of the MyBB 1.2 series then please download MyBB 1.2.9 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

.zip (Size: 14.15 KB / Downloads: 3,015)

If you wish to manually patch your board please download "mybb_128_code_fix.txt" and follow the instructions in that file.

.txt   mybb_128_code_fix.txt (Size: 1.81 KB / Downloads: 1,776)

For the upgrade of 1.2.8 to 1.2.9, the upgrader is NOT required -- just replace the files (or modify them as per the manual patch instructions) and you will be set.

MyBB 1.2/1.1 Plugin Patch
If you are running any 1.2 or 1.1 release of MyBB, you may alternatively use the attached plugin to protect your board from this vulnerability.

Upload it to inc/plugins/ and activate from your Admin CP --> Plugin Manager.

.php   mybb129patch.php (Size: 1.35 KB / Downloads: 1,314)
MyBB 1.1.8 Patch
This patch is only for users running MyBB 1.1.8 or any release of the MyBB 1.1 series.

Please download "mybb_118_code_fix_129.txt" attached to this post and follow the manual patching instructions.

.txt   mybb_118_code_fix_129.txt (Size: 1.37 KB / Downloads: 837)

Please note all users of the 1.1.x series are urged to upgrade to the latest release of MyBB. (1.2.9)
Statement Regarding Community Forums Breach
Our community forums have been breached by this vulnerability.

Over the weekend several intrusion attempts were detected on the MyBB forums and site. Several executable scripts were also remotely uploaded to the server.

Log file analysis was performed and advanced methods for logging MyBB requests were put in place to determine where the vulnerability was in MyBB. These vulnerabilities were discovered as a result of this logging.

No data or personal information has been disclosed as a result of this vulnerability and we've performed system wide scans to ensure the server is free from these malicious files.

We did not make a public announcement of this at the time as we needed to ensure that there was the possibility of the vulnerability happening again so we could record details about it.
Discuss this announcement

Forum Jump:

Users browsing this thread: 1 Guest(s)