MyBB

Ryan Gordon · (This post was last modified: 08-17-2008 05:45 PM by Ryan Gordon.)

MyBB 1.4.1 is a general maintenance release and a security update to the MyBB 1.4 series. It fixes medium and low risk security vulnerabilities. We recommend everybody upgrades to this release immediately or patches their boards with the manual patching instructions below.

These vulnerabilities affect MyBB 1.4 and previous releases of MyBB 1.2 (including 1.2.14). Older versions of MyBB may also be affected. Please see the post below for upgrade instructions for 1.2.14.

WDZ is credited with the discovery of these vulnerabilities.

MyBB 1.4 to MyBB 1.4.1 Patch
This patch is only for users running MyBB 1.4. If you are running an older version of MyBB then please download MyBB 1.4.1 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

.zip

mybb_1401_changed_files.zip (Size: 631.5 KB / Downloads: 1517)

If you wish to manually patch your board please download "mybb_1400_patches.txt" and follow the instructions in that file.

.txt

mybb_1400_patches.txt (Size: 2.93 KB / Downloads: 904)

For the upgrade of 1.4 to 1.4.1, the upgrader IS required -- this is so that templates may be updated. The manual patch set instructions only fix the medium risk vulnerabilities and is only made available to temporarily secure your forum until you have time to run the complete upgrade. We strongly recommend updating as soon as possible.

Reporting MyBB security vulnerabilities
If you think you've found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we've had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Ryan Gordon · 08-17-2008, 07:57 AM

MyBB 1.2.14 Patch
This patch is only for users running MyBB 1.2.14 or any previous release of the MyBB 1.2 series.

Please download "mybb_1214_patches.txt" attached to this post and follow the manual patching instructions.

Please note all users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.1)

.txt

mybb_1214_patches.txt (Size: 2.33 KB / Downloads: 477)

Ryan Gordon · 08-17-2008, 07:57 AM

Upgrading from the 1.4 series
When upgrading from 1.4, you will not lose any custom themes, plugins or language packs which you may have installed.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files in the first post.

You must then check for modified templates using the instructions in the next post.

Upgrading from other versions
If you are upgrading from a version earlier than 1.2 then you will lose your custom themes, templates and language packs due to the number of changes between your version and the 1.2 series.

Before you attempt to upgrade, ensure you have a database backup and a copy of the files currently in use on your board. This is so you can revert back to your earlier version if you need to or something goes horribly wrong with the upgrade process.

Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process.

Changed files since MyBB 1.4

install/
- index.php
- resources/
  - language.lang.php
  - mybb_theme.xml
  - upgrade11.php
  - upgrade12.php
  - upgrade13.php
  - upgrade14.php
  - upgrade3.php
  - upgrade5.php
- upgrade.php
jscripts/
- editor.js
admin/
- jscripts/
  - codepress/
    - codepress.js
- modules/
  - config/
    - plugins.php
    - settings.php
  - forum/
    - management.php
  - home/
    - version_check.php
  - style/
    - templates.php
    - themes.php
  - tools/
    - backupdb.php
    - maillogs.php
  - user/
    - admin_permissions.php
    - banning.php
    - groups.php
    - mass_mail.php
    - titles.php
    - users.php
inc/
- class_core.php
- class_datacache.php
- class_error.php
- class_language.php
- class_mailhandler.php
- class_moderation.php
- class_session.php
- datahandlers/
  - post.php
  - user.php
- db_mysql.php
- db_mysqli.php
- db_pgsql.php
- db_sqlite2.php
- db_sqlite3.php
- functions.php
- functions_forumlist.php
- functions_image.php
- functions_massmail.php
- functions_modcp.php
- functions_online.php
- functions_task.php
- functions_upload.php
- init.php
- languages/
  - english/
    - admin/
    - online.lang.php
    - search.lang.php
- mailhandlers/
  - php.php
- tasks/
  - massmail.php
announcements.php
attachment.php
calendar.php
captcha.php
css.php
editpost.php
forumdisplay.php
global.php
index.php
managegroup.php
member.php
memberlist.php
misc.php
modcp.php
moderation.php
newreply.php
newthread.php
online.php
polls.php
portal.php
printthread.php
private.php
ratethread.php
report.php
reputation.php
search.php
sendthread.php
showteam.php
showthread.php
stats.php
syndication.php
task.php
usercp.php
usercp2.php
warnings.php
xmlhttp.php

Red denotes the file has changes for the exploits and must be updated.
Green denotes the file is new
Gray denotes the files is deleted

Bugs fixed since MyBB 1.4

#35922 - Delete admin group permissions
#35921 - Wrong links on maillog page
#35881 - Inline error on Add Warning page does not save PM message
#35880 - merging threads doesn't update attachment count
#35812 - Add template without name
#35799 - users suspended from posting can use Quick Edit but not Full Edit
#35787 - four typos in private.php
#35786 - /me command not replaced in quoted PM
#35785 - PM folder jump selection
#35775 - template search case-sensitivity
#35772 - invalid argument for add_task_log()
#35689 - ACP admin log for delete user title
#35612 - showteam.php
#35594 - space in guid makes version check stop working
#35562 - AdminCP, Users Searching / Show users who have registered/posted with this IP bug
#35538 - Report a bug
#35401 - super moderator can edit super admin
#35344 - admin/jscripts/config_settings.js is missing
#35270 - Just noticed.....
#35220 - Broken links in notification mails
#35187 - "Who Posted" feature and unapproved posts
#35186 - [search results page] missing tooltips
#35170 - "maximum emails per day" doesn't work
#35169 - ratethread.php: cookie name typo
#35160 - Plugin error message
#35156 - duplicated template newthread_postpoll
#35154 - SQL error in build_mass_mail_query()
#35153 - typo in function get_current_location()
#35152 - [Who's Online] broken printthread support
#35150 - [Mod CP] errors not displayed when trying to add announcement
#35149 - showthread.php: unused $options arrays
#35147 - syndication.php: disablesmilies -> smilieoff
#35146 - regex typo in function my_strlen()
#35145 - Two bugs in function update_first_post()
#35134 - Umlauts in mass mailings
#35117 - Old setting and/or settinggroups not deleted
#35087 - Multiple additional user groups are not shown correctly when editing a user
#35086 - Reported posts not shown to moderators
#35080 - Cache usertitles not updated
#35065 - Notifications in wrong language
#35062 - Backup doesn't work in FF3
#35058 - Ampersand code showing up on forum, but showing literally in ACP.
#35017 - 2096 Messages in PM Sent box
#35011 - Small translation issue
#34991 - Avatar Gallery Sub-Folders wont show Avatars in Admin
#34974 - untranslated plugins make forum die()
#34956 - Thread Subscriptions
#34930 - upgrade problem (1.2.2=>1.4) "field_exists function"
#34929 - [Bug] - Admin CP -> Users & Groups
#34922 - Warnings and merge user
#34867 - Birthday cache not updated
#35009 - [split] MyBB SQL Error [URGENT] =(
#34847 - Subforum specific style options don't work
#34795 - Three Bugs
#34775 - Inline post custom moderation
#34773 - Can't add a new category
#34770 - PM Report author
#34758 - Slow Office Editor
#34738 - Issue when searching for users with *exactly* 0 posts in AdminCP.
#34732 - Safe Mode & mkdir
#34715 - Little omission in inc/functions.php
#34710 - spiders didn't effected with thier group username style
#34685 - inc/functions_online.php broken
#34675 - "s again
#34674 - Admin: module: config/plugins
#34656 - User Miscounts in groups
#34640 - Theme exporting
#34598 - MyBB 1.4 Gold - Theme Editor
#34590 - Avatar wrong CHMod
#34282 - PHP mail function

Ryan Gordon · 08-17-2008, 07:57 AM

Theme and template changes
Using the "Find Updated" link under the "Templates" page in the Admin CP you can find a list of the templates that have changed in this release that you've got one or more custom copies of.

After identifying changed templates using the tool you can either revert your custom template to the default (delete it) or use the "diff" tool to perform a difference analysis on your custom template and the default.

A revert for this release is not required so your custom version of the template should work perfectly fine.

Template changes
Since MyBB 1.4 the following templates have had changes to them:

search_results_threads_thread
usercp_subscriptions
modcp_announcements_new

Language file changes
Since MyBB 1.4 the following language files have had changes to them:

online.lang.php
search.lang.php
admin/tools_maillogs.lang.php

Either update your language packs to include the changes in these files or revert to the standard English language pack.

Plugins
Your MyBB 1.4.x plugins will work correctly with 1.4 without any updates.

Ryan Gordon · 08-17-2008, 07:58 AM

Discuss this announcement

Ryan Gordon · (This post was last modified: 08-18-2008 12:35 AM by Ryan Gordon.)

For anyone who has downloaded the changed file package up to the point this post was made, and had ran the upgrade script, then you may have run into an issue where your setting groups were duplicated. If you have duplicate setting groups then please run this script:

.php

1401_settinggroups_remove.php (Size: 1.16 KB / Downloads: 368)

Please upload it to your main MyBB Directory and call it via your browser. After you finish please delete it.

If you have lost your settings, then please PM me (Ryan Gordon) to receive a script to recover as much of the settings we can. If you have a backup then we strongly recommend you use that. If you require assistance with that then please make a post in the support forum.

We strongly apologize for any inconvenience this has caused you.

Ryan
MyBB Group