MyBB Updates & Tips
Ensure you are Updated with the latest patch for MyBB as there are many security vulnerabilities:
MyBB 1.6.3 Release & 1.4.16 Security Update
MyBB 1.6.3 and 1.4.16 are now available to download. They fix 1 high risk vulnerability and 1 low risk vulnerability. We recommend everyone upgrades to this release immediately or patch their boards with the manual patching instructions below.
Thanks to Charlie Somerville and thebod for discovering them. These vulnerabilities are:
* An SQL injection vulnerability in showthread.php (internal report)
* Issue #1487 - CSRF vulnerability in misc.php?action=markread
In addition to the vulnerabilities, the updates also fix the following issues:
* SQL error on malformed search keywords
* IE9 Javascript Issues (1.6.3 only)
* MySQL 5.5 compatibility (1.6.3 only) Ref. Source 2
MyBB 1.6.4 Released - Feature Update, Security & Maintenance Release
MyBB 1.6.4 is now available from the MyBB website and is a feature update, security and maintenance release for the 1.6 series.
What's added/changed in this version?
In 1.6.4, there are 2 new updates and over 100 reported issues fixed.
Please be aware that not all of the existing problems have been fixed in this version. Because of the size of the updates, these will be fixed in a later release. Ref. MyBB
MyBB 1.6.4 security announcement
A little over two weeks ago we announced the discovery of a rather significant vulnerability which may have effected some users. At the time there was a lot of uncertainty regarding the circumstances, but I feel it's time to follow up on our original announcement with what has since come to hand. I hope this will answer any outstanding questions, ease some of the concern, and most importantly I hope everyone checks their installations to make sure they are not vulnerable. Ref. Source 5
MyBB 1.6.6 Security Release
In 1.6.6, 1 major issue and 14 low risk vulnerabilities have been fixed. Only the issues listed below are fixed; a further maintenance release will be available with general fixes to functionality in the near future.
Vulnerabilities:
Non Critical: Import a non-CSS stylesheet (Theme)
Low Risk: CSRF vulnerability on Admin CP logout (Issue #1769)
Low Risk: CSRF vulnerability when clearing a stored password (Issue #1824)
Low Risk: CSRF vulnerability when removing a buddy (Issue #1825)
Low Risk: CSRF vulnerability with Admin CP join requests (Issue #1834)
Low Risk: CSRF vulnerability in Group Promotions Enable/Disable
Low Risk: CSRF vulnerability in ACP Edit User (Avatar)
Low Risk: CSRF vulnerability with activating a user
Low Risk: XSS vulnerability when moving an event (Calendar)
Low Risk: XSS vulnerabilities in Akismet plugin
Low Risk: XSS vulnerabilities in Forum Subscriptions (User CP)
Low Risk: XSS vulnerability in Moderator Logs
Low Risk: XSS vulnerability in Edit Post
Low Risk: XSS vulnerability when editing Announcements