Originally Posted by Chris Boulton

Due to 3 low risk browser based cross-site scripting vulnerability found in MyBB, we're releasing a security update to the MyBB 1.1.x series. The vulnerabilities include:

• Avatar / Attachment script insertion vulnerability (only affects users using Internet Explorer and directly accessing a malformed avatar or attachment
• Cross-site scripting vulnerability on Admin CP login form (imei Web Security)
• [url] tag cross site scripting vulnerability with unicode and malformed URL (imei Web Security)

We recommend all users upgrade their copy of MyBB to the latest available release.

The release on the MyBB site has also been updated to 1.1.8.

Update instructions are in the next post, including a list of changed files (and a ZIP archive of them) as well as manual patching instructions for those of you who have customized their code.

Beta testers running 1.2: You're only affected by the first vulnerability (IE specific). Please see the beta forum for an updated beta release.

Warning to web application developers:
The first vulnerability affects many web applications. You need to ensure that if you allow file uploads (such as images) that you're correctly checking the file upload type, the actual image type and the file extension.

The vulnerability is performed by spoofing the headers of an uploaded image and providing it with a different filename which causes Internet Explorer to locally execute any markup in the image.

You can read more at SecuriTeam - Microsoft Internet Explorer 6.0 Embedded Cross Site Scripting (GIF) and phpBB (and other BB systems) cookie disclosure exploit.

Originally Posted by harmor

I'm glad to see it's actively developed.
Didn't they have like a dozen XSS vulnerabilities already?