MyBB 1.1.5 Released
#1
And in the continuation of something which couldn't have come at a worse time, we're releasing MyBB 1.1.5 - a security update to the MyBB 1.x series. It fixes a few potentially high risk vulnerabilities affecting MyBB 1.0 PR 2 to MyBB 1.1.4.

As an ever growing list of vulnerabilities appears to be found in MyBB, we've performed a software based code audit on the package which detects potential SQL injections, cross site scripting and general security issues. It made us aware of several issues in 1.1.4 so we're immediately releasing a patch. From now on, each release of MyBB will be audited using this application before it is downloadable.

The release also fixes a few other vulnerabilities discovered by third parties.

We recommend all users upgrade their copy of MyBB to the latest available release.

The release on the MyBB site has also been updated to 1.1.5.

Update instructions are in the next post, including a list of changed files (and a ZIP archive of them) as well as manual patching instructions for those of you who have customized their code.

There is the potential once again for scripts to be written to exploit these vulnerabilities. Please ensure you update your board as soon as you can and that you inform anyone you know running MyBB to do the same.

If your board is compromised, please send myself or one of the other team members as much information you can (including raw access logs) and we'll try to do our best to resolve the situation. If you also need assistance in upgrading, please do not hesitate to contact me about it and I'll get you up to date.

It does truly sadden me to see this happen to our product - people's installations being compromised by "script kiddy" and hacking groups where destroying other peoples property is considered fun. Hopefully things will calm down - and I am sorry, personally, for once again having to release another patch for MyBB.

Regards,
Chris Boulton
#2
Updating from 1.1.4 Using Changed Files (Recommended)
You must already be running MyBB 1.1.4 to perform this method!
  • Download the attached "mybb_115_changed_files.zip" from this post.
  • Upload the contents of it to your forums in the corresponding folders.
  • Check your Admin CP to confirm you are running 1.1.5
Updating from 1.1.4 Manually
You must already be running MyBB 1.1.4 to perform this method!
  • Download the attached "mybb_115_patch.txt" from this post.
  • Follow the manual patch instructions in the file replacing or adding code where necessary and uploading the files back up to your web site.
Updating from Previous Releases
Download the latest release from the MyBB web site and follow the general upgrade procedure. (Found in docs/upgrade.html)

Changed Files
  • archive/global.php
  • inc/class_core.php
  • inc/class_session.php
  • inc/functions.php (Version number change)
  • inc/functions_post.php
  • inc/functions_upload.php
  • editpost.php
  • newreply.php
  • usercp.php


Attached Files
.zip   mybb_115_changed_files.zip (Size: 50.62 KB / Downloads: 1,197)
.txt   mybb_115_patch.txt (Size: 4.27 KB / Downloads: 847)
#3
You may discuss this announcement here: http://community.mybboard.net/showthread.php?tid=10116
#4
There was a bug found in the update released today: The full package, changed files, and patch file all contain a line which will create a fatal error with PHP as follows:
Quote:Fatal error: Call to undefined method databaseEngine::simple_select() in /path/to/mybb/usercp.php on line 1744

To fix this:
Open usercp.php
Find:
		$query = $db->simple_select(TABLE_PREFIX."usergroups", "*", "gid='".intval($mybb->input['joingroup'])."'");
Replace with:
		$query = $db->query("SELECT * FROM ".TABLE_PREFIX."usergroups WHERE gid='".intval($mybb->input['joingroup'])."'");

This is a bug affects users joining secondary usergroups via the User CP.

Just a little bit of 1.2 code slipped in.
Dennis Tsang
Former MyBB Team Member
Web: http://dennistt.net
#5
As of this post, the changed files and manual patching instructions have been fixed and no longer contain the bug mentioned in the post above.

The full package will be fixed as soon as possible.

Anyone who updated to 1.1.5 before this post should take note of the instructions posted by Dennis above.
#6
The release on the site has now been updated.
#7
Problems with editpost.php

If you have downloaded the full MyBB 1.1.5 package, there was some extra text that accidentally made its way into the editpost.php file that should not have been there.

At the beginning of editpost.php, find:
yea<?php
Replace with:
<?php

To repeat, this only affects boards that have used the full MyBB 1.1.5 package downloaded from the site.

Again, we are sorry for the inconvenience that this may have caused you.

The full package will be fixed as soon as possible.
Dennis Tsang
Former MyBB Team Member
Web: http://dennistt.net


Forum Jump:


Users browsing this thread: 1 Guest(s)