MyBB 1.1.3 Released
#1
MyBB 1.1.3 is a security update to the MyBB 1.x series. It fixes a moderate risk cross site scripting vulnerability and a moderate-high risk PHP injection vulnerability affecting all versions of MyBB (1.0 RC, 1.0 Final, 1.1 series).

We recommend all users upgrade their copy of MyBB to the latest available release.

Fixed vulnerabilities:
  • Potential cross site scripting with unsanitized input variable in private.php (D3vil-0x1)
  • Potential PHP arbitrary code executation vulerability with post parser (Secunia)
The release on the MyBB site has also been updated to 1.1.3.

Update instructions are in the next post, including a list of changed files (and a ZIP archive of them) as well as manual patching instructions for those of you who have customized their code.

Regarding MyBB 1.2
Development is still continuing. Myself (and other developers) are currently unable to be as active as we'd like to beat the moment due to being in major assessment and examination periods.

The beta testing phase will soon begin and users will be contacted to test this upcoming release. (Please do not request to become a tester - we chose you based on your experience and community participation)

Regards,
MyBB Group
#2
Updating from 1.1.2 Using Changed Files (Recommended)
You must already be running MyBB 1.1.2 to perform this method!
  • Download the attached "mybb_113_changed_files.zip" from this post.
  • Upload the contents of it to your forums in the corresponding folders.
  • Check your Admin CP to confirm you are running 1.1.3
Updating from 1.1.2 Manually
You must already be running MyBB 1.1.2 to perform this method!
  • Download the attached "mybb_113_patch.txt" from this post.
  • Follow the manual patch instructions in the file replacing or adding code where necessary and uploading the files back up to your web site.
Updating from Previous Releases
Download the latest release from the MyBB web site and follow the general upgrade procedure. (Found in docs/upgrade.html)

Changed Files
  • inc/functions.php (Version number change)
  • inc/functions_post.php
  • private.php


Attached Files
.txt   mybb_113_patch.txt (Size: 1 KB / Downloads: 805)
.zip   mybb_113_changed_files.zip (Size: 27.02 KB / Downloads: 1,117)
#3
Discuss this announcement: http://community.mybboard.net/showthread.php?tid=9623
#4
A proof of concept for the remote execution bug has been posted which serves nothing but malicious purposes. We ask that all users update their boards ASAP to avoid this.
#5
Registration Prevention Plugin

As it appears many script kiddies are trying to exploit boards with the mentioned proof of concept, attached is a plugin which will prevent these registrations and ban any IP addresses or email addresses which attempted to register with this username.

Upload the attached file to inc/plugins and then activate the plugin via the Admin CP.


Attached Files
.php   system_uname.php (Size: 2.13 KB / Downloads: 915)
#6
An updated version of the plugin in the previous post has been released. It will also ban the email address and IP address of the user who attempts to register with any matching name.


Forum Jump:


Users browsing this thread: 1 Guest(s)