Hi,

It has come to our attention that a new vulnerability has been found in MyBB 1.2.1 which also affects MyBB 1.1.8 and all other previous versions of MyBB.

This vulnerability allows a hacker to upload a false GIF image which contains executable code which can then be used to obtain the authentication details for a logged in user viewing the page.

Immediately we're releasing a patch for both versions of MyBB which we're currently supporting. Both versions, 1.2.1 and 1.1.8 have also been updated on the MyBB site.

As a security precaution we also recommend that all administrators change their passwords.

MyBB 1.2.1 Patch
This patch is only for users running MyBB 1.2.1 or any release of the MyBB 1.2 series.

Please download the attached functions_upload.php and replace the copy in your inc/ directory.

If you wish to manually patch your board please download "attachments_121_manual_patch.txt" and follow the instructions in that file.

Please note that you should also start preparing for MyBB 1.2.2 as it will be released in the coming days.

More...

I hope MyBB is as easy to update as vBulletin....

__________________

That patch is really easy... change one line of code! It's because that's a security patch. For 1.2.2, you'll have to upload changed files - it'll be a bugfix release

__________________

Justin S. / MyBB Wiki Lead / RCTgo.net

Oh i have patched it OK, i am more worried about freaking up the upgrade, I'm too used to vBulletin now...

__________________

This is an easy one. I have patched my board.