MyBB PR2 Security Update [1/11/05]

[Chris Boulton]

MyBB PR2 Security Update

There has been a rather serious security issue found in MyBB PR2 and all pervious versions. This update also patches a small problem which was bought to our attention.

The major security issue could allow your board to be compromised via an SQL injection based vulnerability whilst the secondary vulnerability is one which could be exploited to perform a DOS [Denial of Service] attack on your server (or cause long page load times).

This security exploit can affect:

• All users running MyBB PR2
• A range of users running MyBB RC4 with PHP's magic_quotes off

There have been several boards already exploited by this vulnerability, discovered on the 26th October and for this reason we urge all users to update to the files attached below and to notify anyone else you know who's running MyBB to do the same.

As of this post, the release on the MyBB website has also been updated.

Patch Instructions:
Download the attached ZIP file and extract it locally on your machine. It should contain 4 files:

• inc/functions_user.php
• forumdisplay.php
• showthread.php
• usercp.php

Please upload these files to your forum root preserving the directory structure (ie, make sure functions_user.php is in your 'inc' directory).

After you've uploaded the supplied files then your board has been patched.

Due to the nature of these exploits, as well as other updates to the code we will not be providing manual patching instructions for this release.


Our initial intentions after hearing about this exploit being made public were to bring you 1.0 ASAP. However due to the release of MySQL 5, we've had to make some changes to MyBB and we're currently needing to test them before release.

We thank you for your continued support and we're sorry to have to be patching a security related issue which has already affected a few users.

[technorati]mybb[/technorati]

[Chris Boulton]

Checking if you're protected

If you need to check if you're protected against this exploit/vulnerability then please see the following notes.

At the top of each of the MyBB files in the comments is an Id tag which is similar to the following:

* $Id: showthread.php 878 2005-11-01 12:26:02Z chris $

The Id outlines:

• The filename - showthread.php in this case
• The revision number of this file (878)
• Date and time of last commit to MyBB repository
• Last author to commit the file

The revision numbers for the files fixed in this exploit should be:

• usercp.php - 869
• forumdisplay.php - 865
• showthread.php - 878
• inc/functions_user.php - Does not contain revision number

Your revision numbers should be of equal or higher value. If they are, it means you're protected.

[Chris Boulton]

Discussion

Please direct all of the discussion relating to this security update here: http://community.mybboard.net/showthread.php?tid=4509