It has come to our attention that there may be a medium risk security vulnerability in MyBB 1.2.10 and earlier versions.

This vulnerability will allow a user to upload an undesirable avatar that even though they are told is invalid, is still left on the file system. Depending on some server configurations or when called via a web browser, this file may be executed either on the server side (as PHP) or on the client side (as HTML).

This is also a general flaw - when a user uploads an avatar and that doesn't return valid image dimensions, it won't be removed by MyBB.

Immediately we're releasing an update to MyBB 1.2.10 to fix this vulnerability/flaw. We recommend all users apply this fix to their forums as soon as possible.

Patching Your Installation
There are two ways to patch your existing installation of MyBB.

If you haven't made modifications to inc/functions_upload.php you can simply upload the attached version of the file overwriting your existing copy.

If you have modified inc/functions_upload.php, download the attached manual patching instructions and follow the instructions in the file to manually patch your board.

As of this post, the download on the MyBB website has also been updated.

Thank you to pepotiger for reporting thsi possible vulnerability to us.

More...