MyBB 1.1.7 Released - Security Update
#1
Due to a low risk browser based cross-site scripting vulnerability found in MyBB, we're releasing a security update to the MyBB 1.1.x series. The exact vulnerability allows cross-site scripting by invalid input in to an avatar URL which will then cause certain browsers (Internet Explorer) to execute that input.

We recommend all users upgrade their copy of MyBB to the latest available release.

The release on the MyBB site has also been updated to 1.1.7.

Update instructions are in the next post, including a list of changed files (and a ZIP archive of them) as well as manual patching instructions for those of you who have customized their code.

We're also after feedback regarding your preferred methods for applying patches to your board - and your feedback of two new methods which you may see in the future. Please let us know your opinions

Regards,
Chris Boulton
#2
Updating from 1.1.6 Using Changed Files (Recommended)
You must already be running MyBB 1.1.6 to perform this method!
  • Download the attached "mybb_117_changed_files.zip" from this post.
  • Upload the contents of it to your forums in the corresponding folders.
  • Check your Admin CP to confirm you are running 1.1.7
Updating from 1.1.6 Manually
You must already be running MyBB 1.1.6 to perform this method!
  • Download the attached "mybb_117_patch.txt" from this post.
  • Follow the manual patch instructions in the file replacing or adding code where necessary and uploading the files back up to your web site.
Updating from Previous Releases
Download the latest release from the MyBB web site and follow the general upgrade procedure. (Found in docs/upgrade.html)

Changed Files
  • usercp.php
  • inc/functions.php (Version number change)
  • inc/languages/english/usercp.lang.php


Attached Files
.zip   mybb_117_changed_files.zip (Size: 31.14 KB / Downloads: 999)
.txt   mybb_117_patch.txt (Size: 2.62 KB / Downloads: 845)
#3
Discuss this announcement
#4
We've just been made aware of two other low risk issues which existed in 1.1.7 and earlier.

Instead of releasing another update for today we've updated the current release (attachments above and release on main site) to fix these issues.

For those of you who have already applied the above patch by the time of this post, please follow the following instructions:

usercp.php

Find:
	if($mybb->input['gallery'])
	{
		$gallery = $mybb->input['gallery'];

Replace with:
	if($activegallery)
	{
		$gallery = str_replace("..", "", $mybb->input['gallery']);

Please note, all of these vulnerabilities were already patched in MyBB 1.2.0 (a long time ago) - a proof of concept of our ongoing commitment and the future of MyBB.


Forum Jump:


Users browsing this thread: 1 Guest(s)