MyBB 1.2.11 is a security update to the MyBB 1.2 series. It fixes two HIGH risk security vulnerabilities and a few low risk vulnerabilities reported in MyBB earlier today. We recommend everybody upgrades to this release immediately or patches their boards with the manual patching instructions below.

Both high risk vulnerabilities have been observed to have been used and exploited by malicious users already.

This security update fixes:

[HIGH RISK] Remote execution vulnerability in forumdisplay.php allowing arbitrary file system access and code execution.
[HIGH RISK] Remote execution vulnerability in search.php allowing arbitrary file system access and code execution.
[LOW RISK] SQL injection via moderation features. (Note: This requires the attacker have a moderator account)
[LOW RISK] SQL injection via the Admin CP and approve join requests feature. (Note: This requires the attacker have an administrator account)


Thank you to both koziolek and waraxe for reporting these vulnerabilities.

These vulnerabilities affect MyBB 1.2.10 and previous releases of MyBB 1.2. Older versions of MyBB may also be affected

MyBB 1.2.10 to MyBB 1.2.11 Patch
This patch is only for users running MyBB 1.2.10. If you are running any other version of the MyBB 1.2 series then please download MyBB 1.2.11 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

[attachment=8398]

If you wish to manually patch your board please download "mybb_1211_patches.txt" and follow the instructions in that file.

[attachment=8399]

For the upgrade of 1.2.10 to 1.2.11, the upgrader is NOT required -- just replace the files (or modify them as per the manual patch instructions) and you will be set.

Want us to patch your installation?
Due to the severe nature of these vulnerabilities, we urge all users to upgrade their forums as soon as they read this message.

If you're unsure of how, don't have the time or need assistance patching your board then please contact one of the staff mentioned below. We'll patch your board for you as soon as we can.

Note: This is only for patching your board for this vulnerability. We cannot upgrade your forums from other major releases. We also require your FTP/server details to perform the upload.

Staff performing upgrades:

Chris Boulton


Reporting MyBB security vulnerabilities
If you think you've found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we've had time to prepare and release patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

More...

Upgraded from 1.2.9 () without a problem... just had to reapply my template conditionals mod...

__________________

Justin S. / MyBB Wiki Lead / RCTgo.net

Good thing I caught this when I did. Thanks MyBB team.

__________________
InsideUniversal.net
InsideUniversal.net Community