MyBB 1.2.8 Released - Security & Maintenance Release
#1
MyBB 1.2.8 is now available on the MyBB website and is a general maintenance release as well as a security update release that patches a recently discovered low threat vulnerability.

This release also fixes over 30 identified issues with 1.2.7, some causing incorrect functionality of MyBB as well as other internally discovered problems with the post counting system introduced with 1.2.7. These bugs have been fixed to provide a more stable version of MyBB for public use.

What's added/changed in this version?
  • Setting to enable/disable the forum jump menus - useful for boards with a large number of forums.
  • Additional plugin hooks have been added to both inc/class_moderation.php and the archive mode. (by request)

Information on upgrading, template changes and language changes can be found in the posts below. MyBB 1.1.x patches can also be found below.

If for some reason you cannot immediately update to this release:
We recommend applying the attached manual patch instructions, or patch plugin for the vulnerability found in MyBB 1.2.7. You should only consider these as temporary solutions and make the effort to upgrade to 1.2.8 as soon as possible.

To manually patch your 1.2.7 to fix these vulnerabilities please follow the following instructions:

.txt   mybb_128_xss_fix.txt (Size: 1.11 KB / Downloads: 1,267)

Alternatively, you can use the following plugin. Upload it to inc/plugins/ and activate from your Admin CP --> Plugin Manager.

.php   mybb128patch.php (Size: 940 bytes / Downloads: 1,176)

Please note, that you need to run the upgrade script for this version. This is so the templates may be updated.
There are no database schema changes in this version.
#2
Upgrading from the 1.2 series
When upgrading from 1.2, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead) guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files here:

.zip   mybb_128_changed_files.zip (Size: 350.04 KB / Downloads: 1,887)

You must then check for modified templates using the instructions in the next post.

Upgrading from other versions
If you are upgrading from a version earlier than 1.2 then you will lose your custom themes, templates and language packs due to the number of changes between your version and the 1.2 series.

Before you attempt to upgrade, ensure you have a database backup and a copy of the files currently in use on your board. This is so you can revert back to your earlier version if you need to or something goes horribly wrong with the upgrade process.

Follow the general [Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead) guide outlined on the MyBB Wiki to complete the upgrade process.

Changed files since MyBB 1.2.7
Green indicates files which have been added since the MyBB 1.2.7 release.
  • admin/
    • adminfunctions.php
    • announcements.php
    • index.php
    • usergroups.php
    • users.php
  • archive/
    • global.php
    • index.php
  • images/
    • attachtypes/
      • index.html
    • avatars/
      • index.html
    • codebuttons/
      • index.html
    • english/
      • index.html

    • groupimages/
      • english/
        • index.html
      • index.html
    • icons/
      • index.html
    • smilies/
      • index.html
    • toplinks/
      • index.html
  • inc/
    • datahandlers/
      • pm.php
    • languages/
      • english/
        • global.lang.php
        • helpdocs.lang.php
        • misc.lang.php
      • english.php
    • class_core.php
    • class_datacache.php
    • class_feedparser.php
    • class_feedgeneration.php
    • class_moderation.php
    • class_parser.php
    • class_session.php
    • class_xml.php
    • db_mysqli.php
    • functions.php
    • functions_forumlist.php
    • functions_image.php
    • functions_post.php
    • functions_rebuild.php
    • functions_upload.php
  • install/
    • resources/
      • mybb_theme.xml
      • mysql_db_inserts.php
      • settings.xml
      • upgrade10.php
      • upgrade9.php
    • index.php
  • jscripts/
    • editor.js
  • editpost.php
  • forumdisplay.php
  • member.php
  • misc.php
  • moderation.php
  • portal.php
  • private.php
  • search.php
  • showthread.php
  • usercp.php

Bugs fixed since MyBB 1.2.7
  • #17622 - #17622 Bugs in parser
  • #19252 - #19252 Birthday in profiles
  • #19275 - #19275 I Think...
  • #19293 - #19293 Birthday bug (again?)
  • #19335 - #19335 Bug in "General Statistics"
  • #19361 - #19361 Sending a Message via ICQ doesn't work
  • #19372 - #19372 Fix on the "who replied to this topic"
  • #19411 - #19411 Attachment quota defaults to a secondary group.
  • #19463 - #19463 Board style missing
  • #19504 - #19504 Private Message icon not working after 1.2.7 upgrade
  • #19512 - #19512 Moving threads count
  • #19521 - #19521 Editor Bug
  • #19558 - #19558 Number don't have a comma sign when it's more than a thousand
  • #19562 - #19562 Little typo bug
  • #19589 - #19589 Preview of edited posts
  • #19590 - #19590 Editor problem
  • #19591 - #19591 Black color (editor)
  • #19701 - #19701 Private message presets
  • #19723 - #19723 mySQL error when splitting post from thread...
  • #19776 - #19776 Cant Disable Thumbnails on Treads
  • #19923 - #19923 Split thread and the attachment icon
  • #20082 - #20082 MySQL error
  • #20149 - #20149 Post counter bug
  • #20167 - #20167 Unapproved Glory
  • #20221 - #20221 ...please wait -1 seconds before attempting....
  • #20288 - #20288 charset - firefox - utf-8 + iso-8859
  • #20340 - #20340 Merge threads
  • #20352 - #20352 Text sizes list - missing "large"
  • #20354 - #20354 Hardcoded moderator's inline checkbox for announcements?
  • #20356 - #20356 Bug in tag [IMG]
  • #20379 - #20379 Just a quick typo
  • #20400 - #20400 & in Forum Titles
  • #20423 - #20423 Recipient field empty when replying to a user with double quote character in username
  • #20438 - #20438 Announcement bugs
  • #20439 - #20439 Reputation / permission bug
  • #20442 - #20442 Registration bug
  • #20447 - #20447 Images/avatars missing index.html
  • #20461 - #20461 PM bug
#3
Theme and template changes
Using the "Find Updated" link under the "Templates" section in the Admin CP you can find a list of the templates that have changed in this release that you've got one or more custom copies of.

After identifying changed templates using the tool you can either revert your custom template to the default (delete it) or use the "diff" tool to perform a difference analysis on your custom template and the default.

Since MyBB 1.2.7 the following templates have been changed. "Revert required" indicates that for this template to work correctly with MyBB 1.2.8 you'll either need to revert it to the default or modify your custom template to include the changes in the default. If a revert is not required your custom version of the template should work perfectly fine.
  • changeuserbox - Revert required
  • forumdisplay_announcements_announcement_modbit - Added
  • forumdisplay_announcements_announcement - Revert required
  • header_welcomeblock_member - Revert required
  • index_logoutlink - Revert required
  • misc_imcenter_icq - Revert required

Language packs changes
Since MyBB 1.2.7 the following language files have had changes to them:
  • global.lang.php
  • helpdocs.lang.php
  • misc.lang.php
Either update your language packs to include the changes in these files or revert to the standard English language pack.

Plugins
Most of your MyBB 1.2.x plugins will work correctly with 1.2.8 without any updates.
#4
MyBB 1.1.8 Patch
This patch is only for users running MyBB 1.1.8 or any release of the MyBB 1.1 series.

Please download "mybb_118_xss_patch_128.txt" attached to this post and follow the manual patching instructions.

Please note all users of the 1.1.x series are urged to upgrade to the latest release of MyBB. (1.2.8)


.txt   mybb_118_xss_patch_128.txt (Size: 1.11 KB / Downloads: 578)
#5
Discuss this Announcement
#6
[Info] New Plugin Hooks
This was posted on the Discussion thread by Chris Boulton, but I thought it would be easier for people to find here.

Archive Mode:
  • archive_start
    Called at the top of archive/index.php.
  • archive_announcement_start
    Called at the start of display of an announcement.
  • archive_announcement_end
    Called at the end of display of an announcement.
  • archive_thread_start
    Called at the start of display of a thread.
  • archive_thread_post
    Called immediately before a post in a thread is sent to the browser.
  • archive_thread_end
    Called at the end of display of a thread.
  • archive_forum_start
    Called at the start of display of a forum.
  • archive_forum_thread
    Called immediately before a thread in a forum is sent to the browser.
  • archive_forum_end
    Called at the end of display of a forum.
  • archive_index_start
    Called at the start of display of the archive index.
  • archive_index_end
    Called at the end of display of the archive index.
  • archive_end
    Called at the end of archive/index.php

Moderation Class:
These hooks are particularly useful if yo want to perform an action whenever one of the below events occurs to a thread - regardless if it was via a moderator or internally by MyBB. Example use would be in a cash/points system where you want to subtract or adjust rewards for a particular thread or post. You should not output anything from these calls and the action will be performed regardless of the plugins returned result.
  • class_moderation_close_threads (tids)
    Called when a thread or threads are closed. Array of thread IDs is passed.
  • class_moderation_open_threads (tids)
    Called when a thred or threads are opened. Array of thread IDs is passed.
  • class_moderation_stick_threads (tids)
    Called when a thread or threads are stuck. Array of thread IDs is passed.
  • class_moderation_unstick_threads (tids)
    Called when a thread or threads are unstuck. Array of thread IDs is passed.
  • class_moderation_remove_redirects (tid)
    Called when the remove redirects function is called. Thread ID is passed - all redirects to this thread are being deleted.
  • class_moderation_delete_thread (tid)
    Called when a thread is deleted. Thread ID is passed.
  • class_moderation_delete_poll (pid)
    Called when a poll is deleted. Poll ID is passed.
  • class_moderation_approve_threads (tids)
    Called when a thread or threads are approved. Array of thread IDs is passed.
  • class_moderation_unapprove_threads (tids)
    Called when a thread or threads are unapproved. Array of thread IDs is passed.
  • class_moderation_delete_post (pid)
    Called when a post is deleted. Post ID is passed.
  • class_moderation_merge_posts (array)
    Called when posts are merged together. Array of info is passed:
    pids - Array of post IDs being merged together
    tid - The ID of the thread they are in
  • class_moderation_move_thread_redirect (array)
    Called when a thread is moved and redirect is left. Array of info is passed:
    tid - Thread being moved
    new_fid - The new forum ID
  • class_moderation_copy_thread (array)
    Called when a thread is copied to another forum. Array of info is passed:
    tid - The thread being copied
    new_fid - The forum ID the thread is being copied to
  • class_moderation_move_simple (array)
    Called when a standard move is performed. Array of info is passed:
    tid - The thread being moved
    new_fid - The new forum ID
  • class_moderation_merge_threads (array)
    Called when two threads are being merged together. Array of info is passed:
    mergetid - The thread being merged in to the other
    tid - The destination thread ID
    subject - The new subject of the merged thread
  • class_moderation_split_posts (array)
    Called when one or more posts are split from a thread. Array of info is passed:
    pids - Array of post IDs being split from a thread
    tid - The thread the posts are being split from
    moveto - The new forum for the resulting split posts
    newsubject - The new thread subject for the split posts
    destination_tid - The thread ID if we're splitting in to another thread
  • class_moderation_move_threads (array)
    Called when more than one thread is being moved to another forum. Array of info is passed:
    tids - Array of thread IDs
    moveto - The new forum the threads are being moved to
  • class_moderation_approve_posts (pids)
    Called when one or more posts are approved. Array of post IDs is passed.
  • class_moderation_unapprove_posts (pids)
    Called when one or more posts are unapproved. Array of post IDs is passed.
  • class_moderation_change_thread_subject (array)
    Called when a thread subject is changed using the custom moderation tools. Array of info is passed:
    tids - Array of thread IDs
    format - The format thread subjects are being changed to
  • class_moderation_expire_threadarray (array)
    Called when an expiry time is set on a thread. Array of info is passed:
    tid - The thread ID to be expired
    deletetime - Unix timestamp of when the thread should expire.
  • class_moderation_remove_thread_subscriptions (array)
    Called when subscriptions are removed by the use of a moderation tool. Array of info is passed:
    tids - Array of thread IDs
    all - Are we removing all subscriptions?
    fid - Forum ID if not removing all

Moderator Tools
Several hooks previously existed in moderation.php however more have been added to cover all tools. These hooks are particularly useful if you want to perform extra checks whenever a moderation tool is being performed or display output to the browser. They should be pretty self explanatory.
Dennis Tsang
Former MyBB Team Member
Web: http://dennistt.net
#7
A plugin which patches the XSS vulnerability has been offered as an alternative to the manual patch instructions. I'd like to emphasize that this plugin and the manual patch instructions should be considered as temporary solutions. They do not contain the additions and bug fixes contained in the complete upgrade of 1.2.8, but only the patch for the security vulnerability.

The plugin can be found in the first post.
Dennis Tsang
Former MyBB Team Member
Web: http://dennistt.net


Forum Jump:


Users browsing this thread: 1 Guest(s)