+--------------------------------------------------------------------------------+ | MyBB 1.4 - Security Update Patch File | | (c) 2008 MyBB Group. | | | | This patch file fixes some medium and low risk issues in MyBB 1.4 | | | | Please follow the instructions documented to manually patch your board. | +--------------------------------------------------------------------------------+ =============== 1. misc.php =============== Find: -- $editor = htmlspecialchars($mybb->input['editor']); -- Replace with: -- $editor = addslashes(htmlentities($mybb->input['editor'])); -- =============== 2. usercp2.php =============== Find: -- $url = $mybb->input['referrer']; -- Replace with: -- $url = htmlspecialchars_uni(addslashes($mybb->input['referrer'])); -- =============== 3. inc/functions_online.php =============== -- Find: -- $user_activity['location'] = $location; -- Replace with: -- $user_activity['location'] = htmlspecialchars_uni($location); -- =============== 4. moderation.php =============== -- Find: -- $info .= "$lang->thread ".$modaction['tsubject']."
"; -- Replace with: -- $info .= "$lang->thread ".htmlspecialchars_uni($modaction['tsubject'])."
"; -- ALSO Find: -- $info .= "$lang->post ".$modaction['psubject'].""; -- Replace with: -- $info .= "$lang->post ".htmlspecialchars_uni($modaction['psubject']).""; -- ALSO Find: -- $custommod->execute(intval($mybb->input['action']), $tids); -- Add before: -- if(!is_moderator_by_tids($tids)) { error_no_permission(); } -- ALSO Find: -- $ret = $custommod->execute(intval($mybb->input['action']), $tid); -- Add before: -- if(!is_moderator_by_tids($tid)) { error_no_permission(); } =============== 5. inc/class_core.php (Version number change) =============== Find: -- /** * The friendly version number of MyBB we're running. * * @var string */ var $version = "1.4"; /** * The version code of MyBB we're running. * * @var integer */ var $version_code = 1400; -- Replace with: -- /** * The friendly version number of MyBB we're running. * * @var string */ var $version = "1.4.1"; /** * The version code of MyBB we're running. * * @var integer */ var $version_code = 1401; -- ALL DONE