MyBB RC4 Security Update [14/08/05]
#1
MyBB RC4 Security Update

There has been a security issue found in MyBB RC4 and all previous versions.

This security issue could allow your board to be compromised via an SQL injection based vulnerability.

Patching Your Board
To patch you board you can use the zip archive attached to this post, please upload the contents of it to your forums overwriting the existing files.

Manual patching instructions are below.

Manual Patching Instructions
./global.php

Find:
--
$mybb['location'] = $REQUEST_URI;
--

Replace With:
--
$mybb['location'] = addslashes($REQUEST_URI);
--

./member.php

Find:
--
$query = $db->query("SELECT username FROM ".TABLE_PREFIX."users WHERE username='$username'");
--

Replace With:
--
$username = addslashes($username);
$query = $db->query("SELECT username FROM ".TABLE_PREFIX."users WHERE username='$username'");
--

Find:
--
$query = $db->query("SELECT uid, username, password FROM ".TABLE_PREFIX."users WHERE username='$username'");
--

Replace With:
--
$username = addslashes($username);
$query = $db->query("SELECT uid, username, password FROM ".TABLE_PREFIX."users WHERE username='$username'");
--

./admin/global.php

Find:
--
if($do == "login") {
--

Above it Add:
--
$mybbadmin = $_COOKIE['mybbadmin'];
$username = addslashes($username);
--


Forum Jump:


Users browsing this thread: 1 Guest(s)