MyBB 1.4.2 Released - Maintenance and Security Update

[Ryan Gordon]

MyBB 1.4.2 is a general maintenance release and a security update to the MyBB 1.4 series. It fixes a few high risk and several medium risk and low risk security vulnerabilities. We recommend everybody upgrades to this release immediately or patch their boards with the manual patching instructions below.

This release comes as the result of a professional security audit performed by GulfTech. (As can be verified here) As this security audit cost us a considerable amount out of our own pockets, we ask that if you haven't already and have a few spare dollars to spare that you consider donating to MyBB.

These vulnerabilities affect MyBB 1.4.1 and several affect previous releases of MyBB 1.2 (including 1.2.14). Older versions of MyBB may also be affected. Please see the post below for upgrade instructions for 1.2.14.

MyBB 1.4.1 to MyBB 1.4.2 Patch
This patch is only for users running MyBB 1.4.1. If you are running an older version of MyBB then please download MyBB 1.4.2 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.


  mybb_1402_changed_files.zip (Size: 581.01 KB / Downloads: 1,873)

If you wish to manually patch your board please download "mybb_1401_patches.txt" and follow the instructions in that file.


  mybb_1401_patches.txt (Size: 6.88 KB / Downloads: 2,081)

For the upgrade of 1.4.1 to 1.4.2, the upgrader IS required -- this is so that templates may be updated. The manual patch set instructions only fixes the high risk and medium risk vulnerabilities and is only made available to temporarily secure your forum until you have time to run the complete upgrade. We strongly recommend updating as soon as possible.

Reporting MyBB security vulnerabilities
If you think you've found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we've had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

[Ryan Gordon]

MyBB 1.2.14 Patch
This patch is only for users running MyBB 1.2.14 or any previous release of the MyBB 1.2 series.

Please download "mybb_1214_patches.txt" attached to this post and follow the manual patching instructions.

Please note all users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.2)


  mybb_1214_patches.txt (Size: 2.72 KB / Downloads: 1,459)

[Ryan Gordon]

Upgrading from 1.4.1
When upgrading from 1.4.1, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead) guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files in the first post.

You must then check for modified templates using the instructions in the next post.

Upgrading from other versions
If you are upgrading from a version earlier than 1.2 then you will lose your custom themes, templates and language packs due to the number of changes between your version and the 1.2 series.

Before you attempt to upgrade, ensure you have a database backup and a copy of the files currently in use on your board. This is so you can revert back to your earlier version if you need to or something goes horribly wrong with the upgrade process.

Please use the full MyBB 1.4.2 package for the upgrade process, available at http://www.mybboard.net/downloads . The changed files package on this thread is only for users upgrading from 1.4.1.

Follow the general [Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead) guide outlined on the MyBB Wiki to complete the upgrade process.

Changed files since MyBB 1.4.1

• admin/
  • inc/
    • class_page.php **
      
    • functions.php
      
  • index.php
    
  • jscripts/
    • codepress/
      • codepress.js
        
  • modules/
    • config/
      • mycode.php
        
      • plugins.php
        
      • settings.php
        
    • forum/
      • announcements.php
        
      • attachments.php *
        
      • management.php
        
    • home/
      • index.php
        
      • module_meta.php
        
    • style/
      • templates.php *
        
      • themes.php
        
    • user/
      • groups.php *
        
      • mass_mail.php
        
      • module_meta.php
        
      • users.php
        
• install/
  • resources/
    • mybb_theme.xml
      
    • mysql_db_tables.php
      
    • sqlite_db_tables.php
      
    • upgrade12.php
      
    • upgrade13.php
      
  • upgrade.php
    
• inc/
  • class_core.php
    
  • class_error.php *
    
  • class_mailhandler.php
    
  • class_moderation.php **
    
  • datahandlers/
    • pm.php
      
    • post.php **
      
    • user.php
      
  • db_mysqli.php
    
  • functions.php **
    
  • functions_calendar.php
    
  • functions_compat.php
    
  • functions_forumlist.php
    
  • functions_indicators.php
    
  • functions_modcp.php
    
  • functions_post.php
    
  • functions_search.php
    
  • languages/
    • english/
      • admin/
      • showthread.lang.php
        
    • english.php
      
  • mailhandlers/
    • php.php
      
  • plugins/
    • akismet.php *
      
  • tasks/
    • dailycleanup.php
      
    • promotions.php
      
    • usercleanup.php
      
• jscripts/
  • editor_themes/
    • default/
      • images/
    • Office_2007/
      • images/
  • general.js
    
• announcements.php *
  
• attachment.php **
  
• editpost.php
  
• forumdisplay.php
  
• global.php ***
  
• index.php
  
• member.php
  
• modcp.php *
  
• moderation.php *
  
• newreply.php *
  
• newthread.php
  
• polls.php ***
  
• private.php *
  
• search.php
  
• showthread.php
  
• usercp.php **
  
• warnings.php
  
• xmlhttp.php
  

Red denotes the file has changes for the exploits and must be updated.
Green denotes the file is new
Gray denotes the files is deleted
* Denotes the file contains low risk vulnerability updates
** Denotes the file contains medium risk vulnerability updates
*** Denotes the file contains high risk vulnerability updates

Bugs fixed since MyBB 1.4.1

• #37744 - Chrome Theme Edits
  
• #37614 - Link to post in warning log incomplete.
  
• #37607 - Upgrade from 1.2 - not all mybb_usergroups columns converted to INT
  
• #37600 - Duplicate user-names (a race condition?)
  
• #37520 - Admin override not work
  
• #37497 - Bug in setting oldgroup in task (expire bans)
  
• #37448 - IP search bug when ip >= 128.0.0.0
  
• #37413 - Warning System Editor [Fix Provided]
  
• #37388 - Return-Path overruled by sendmail_from
  
• #37295 - Little translation issue
  
• #37270 - Highlighting only on first page of thread
  
• #37253 - Permissions changed after editing forum
  
• #37247 - toolbar.gif has a slight flaw
  
• #37206 - Error in xmlhttp.php
  
• #37194 - search does not work with postgresql
  
• #37097 - Can view member list permission not editable
  
• #37092 - non global css file assignment.
  
• #37089 - Search.php
  
• #37076 - possible error in dailycleanup.php
  
• #37005 - Unapproved posts on admin cp home
  
• #36966 - Missing info "IMG code is off"
  
• #36950 - UTF-8 in FROM mail header problem
  
• #36943 - class_mailhandler missing "
  
• #36929 - [Admin-CP] global language var overwritten by language file
  
• #36842 - Mod CP: awaiting moderation
  
• #36828 - Admin User Module Hook Typo
  
• #36780 - [Admin CP] session not deleted upon logout
  
• #36779 - two birthday bugs in member profile
  
• #36775 - PM of deleted user
  
• #36712 - The username you have entered is invalid and does not exist
  
• #36692 - 'Board default' not shown in language dropdown
  
• #36680 - Missing in Template private_send
  
• #36678 - forumsread doesn't work with postgres
  
• #36660 - missing space in Last-Modified header
  
• #36618 - Missing content in email notofication about a mass PM
  
• #36615 - Theme import and special chars
  
• #36581 - Settings not accessible from run_shutdown()
  
• #36580 - $lang-object not accessible from run_shutdown()
  
• #36555 - override style in forum
  
• #36546 - PM recipient's message quota not enforced
  
• #36526 - Attachments: bug returned
  
• #36489 - Delete unapproved posts
  
• #36483 - empty "Today's Birthdays" section if all bdays are hidden
  
• #36479 - Only the first active promotion is processed
  
• #36475 - Polls ( show results view )
  
• #36471 - plugin compatability
  
• #36444 - PGSQL: Error during upgrade
  
• #36415 - [Mod CP] three small bugs related to banning
  
• #36414 - [Mod CP] impossible to edit admin profiles
  
• #36413 - [Mod CP] regular moderators can't moderate attachments
  
• #36412 - [Mod CP] two bugs in the "Awaiting Moderation" table
  
• #36411 - [Mod CP] buggy hour/minute handling when adding/editing announcements
  
• #36410 - [Mod CP] multiple multipage-related bugs
  
• #36409 - incorrect unapproved attachment count
  
• #36392 - variables not defined when using postgresql
  
• #36372 - Time calculation bugs in promotions.php
  
• #36370 - Edit event
  
• #36369 - Little calendar issue
  
• #36359 - mysql_* in the mysqli class
  
• #36293 - Approve thread with attachment(s)
  
• #36288 - User search
  
• #36281 - Task System out of a cronjob
  
• #36260 - Attachment thumbnail viewing permissions
  
• #36256 - Column averagerating does not exist
  
• #36254 - Ranged event
  
• #36253 - Missing line in showthread.lang.php
  
• #36186 - [MyBB 1.4.1] SQL error before upgrade
  
• #36185 - incorrect subforum count
  
• #36138 - [MyBB 1.4.1] "Display posts using the classic layout"
  
• #36131 - Showthread nextoldest SQL error
  
• #36122 - install/upgrade.php
  
• #36121 - moderation.php
  
• #36110 - mistake in /inc/class_mailhandler.php
  
• #36105 - [Admin CP] odd login behavior
  
• #36033 - Missing lang variable in calendar_move
  
• #35951 - maximum attachments per post not enforced very well
  
• #35705 - Can't change time zone for adminstrator
  
• #35477 - About an error on registration of new members
  
• #35157 - "forumsread" table not fully implemented?
  

[Ryan Gordon]

Theme and template changes
Using the "Find Updated" link under the "Templates" page in the Admin CP you can find a list of the templates that have changed in this release that you've got one or more custom copies of.

After identifying changed templates using the tool you can either revert your custom template to the default (delete it) or use the "diff" tool to perform a difference analysis on your custom template and the default.

A revert for this release is not required so your custom version of the template should work perfectly fine.

Template changes
Since MyBB 1.4.1 the following templates have had changes to them:

• private_send
  
• polls_showresults_resultbit
  
• showthread_poll_resultbit
  
• search
  
• postbit_attachments_attachment_unapproved
  
• calendar_addevent
  
• calendar_eventbit_private
  
• calendar_eventbit
  
• calendar_editevent
  
• calendar_move
  
• warnings_warn_pm
  

Language file changes
Since MyBB 1.4.1 the following language files have had changes to them:

• admin/config_settings.lang.php
  
• showthread.lang.php
  

Either update your language packs to include the changes in these files or revert to the standard English language pack.

Plugins
Your MyBB 1.4.x plugins will work correctly with 1.4.2 without any updates.

[Ryan Gordon]

Discuss this announcement

[Ryan Gordon]

Hi,

If you've been experiencing issues with duplicate settings please see this thread: http://community.mybboard.net/thread-38018.html

Ryan