MyBB

***Chris Boulton*** · 06-22-2006, 11:50 AM

In something which couldn't have come at a worse time for us with 1.2 going in to beta next week, we're releasing MyBB 1.1.4 - a security update to the MyBB 1.x series. It fixes a moderate risk SQL injection vulnerability affecting MyBB 1.0 to MyBB 1.1.3.

We recommend all users upgrade their copy of MyBB to the latest available release.

Potential SQL injection in usercp.php (imei Web Security)

The release on the MyBB site has also been updated to 1.1.4.

Update instructions are in the next post, including a list of changed files (and a ZIP archive of them) as well as manual patching instructions for those of you who have customized their code.

I was only notified of this issue within the past hour and I am unaware of any widespread knowledge of it. It is a small fix for what is debatable as being something partly to blame on how PHP works and its treatment of 'true' and '1'.

Regards,
MyBB Group

***Chris Boulton*** · (This post was last modified: 06-22-2006 11:57 AM by Chris Boulton.)

Updating from 1.1.3 Using Changed Files (Recommended)
You must already be running MyBB 1.1.3 to perform this method!

Download the attached "mybb_114_changed_files.zip" from this post.
Upload the contents of it to your forums in the corresponding folders.
Check your Admin CP to confirm you are running 1.1.4

Updating from 1.1.3 Manually
You must already be running MyBB 1.1.3 to perform this method!

Download the attached "mybb_114_patch.txt" from this post.
Follow the manual patch instructions in the file replacing or adding code where necessary and uploading the files back up to your web site.

Updating from Previous Releases
Download the latest release from the MyBB web site and follow the general upgrade procedure. (Found in docs/upgrade.html)

Changed Files

inc/functions.php (Optional - Version number change)
usercp.php

***Chris Boulton*** · 06-22-2006, 11:51 AM

Discussion thread for this announcement: http://community.mybboard.net/showthread.php?tid=9956

***Dennis Tsang*** · 06-26-2006, 02:45 AM

Several forums have been exploited today, and by the looks of it, because of the lack of this patch. The consequences to your board of being exploited may be severe, including deletion of content. The MyBB Group urges all users to upgrade to the latest version as soon as possible.

Kodaks · 06-26-2006, 02:24 PM

It has come to our attention that MyBB versions other than 1.1.3 may also be affected in this series of hackings. We strongly urge all individuals to maintain a daily MySQL backup for the time being.