MyBB 1.1.2 Released
#1
MyBB 1.1.2 is a security update to the MyBB 1.1.1. It fixes several low risk vulnerabilities with the majority of them found in the Admin CP. It also fixes one moderate risk vulnerability on the front end on your board.

Our official stance behind the vulnerabilities found in the Admin CP is that they're low risk and very unlikely to affect any site. The vulnerabilities involve the user already having Admin CP access as well as Admin CP access to the specific sections they affect. There has been a user telling people that boards have been exploited by these vulnerabilities but to our knowledge, this is not the case. We recommend that you apply this update to your board, though it is up to you if you chose to apply the Admin CP changes too due to the reasons stated previously.

Fixes:
  • Possible SQL injection via Admin CP (Requires local Admin access) (imei Web Security)
  • Possible SQL injection when validating new email address (imei Web Security)
  • Further SQL injection via Admin CP (Requires local Admin access) (MyBB Group)
The release on the MyBB site has also been updated to 1.1.2.

Update instructions are in the next post, including a list of changed files (and a ZIP archive of them) as well as manual patching instructions for those of you who have customized their code.

MyBB Group
#2
Updating from 1.1.1 Using Changed Files (Recommended)
You must already be running MyBB 1.1.1 to perform this method!
  • Download the attached "mybb_112_changed_files.zip" from this post.
  • Upload the contents of it to your forums in the corresponding folders.
  • Check your Admin CP to confirm you are running 1.1.2
Updating from 1.1.1 Manually
You must already be running MyBB 1.1.1 to perform this method!
  • Download the attached "mybb_112_patch.txt" from this post.
  • Follow the manual patch instructions in the file replacing or adding code where necessary and uploading the files back up to your web site.
Updating from Previous Releases
Download the latest release from the MyBB web site and follow the general upgrade procedure. (Found in docs/upgrade.html)

Changed Files
  • admin/adminfunctions.php
  • admin/forumpermissions.php
  • admin/settings.php
  • admin/smilies.php
  • admin/templates.php
  • admin/users.php
  • admin/usergroups.php
  • inc/functions.php (Version number change)
  • member.php


Attached Files
.zip   mybb_112_changed_files.zip (Size: 61.13 KB / Downloads: 1,368)
.txt   mybb_112_patch.txt (Size: 20.94 KB / Downloads: 955)
#3
The discussion thread for this announcement is here: http://community.mybboard.net/showthread.php?tid=8734
#4
If you are updating using the Changed Files zip, and your board has modifications on any of the affected files, you must reapply the modifications in order to regain their functionality.
Dennis Tsang
Former MyBB Team Member
Web: http://dennistt.net


Forum Jump:


Users browsing this thread: 1 Guest(s)