[MyBB News] MyBB 1.2.11 Released - IMPORTANT Security Update

**Industry News** · 01-08-2008, 12:22 PM

MyBB 1.2.11 is a security update to the MyBB 1.2 series. It fixes two HIGH risk security vulnerabilities and a few low risk vulnerabilities reported in MyBB earlier today. We recommend everybody upgrades to this release immediately or patches their boards with the manual patching instructions below.

Both high risk vulnerabilities have been observed to have been used and exploited by malicious users already.

This security update fixes:

[HIGH RISK] Remote execution vulnerability in forumdisplay.php allowing arbitrary file system access and code execution.
[HIGH RISK] Remote execution vulnerability in search.php allowing arbitrary file system access and code execution.
[LOW RISK] SQL injection via moderation features. (Note: This requires the attacker have a moderator account)
[LOW RISK] SQL injection via the Admin CP and approve join requests feature. (Note: This requires the attacker have an administrator account)

Thank you to both koziolek and waraxe for reporting these vulnerabilities.

These vulnerabilities affect MyBB 1.2.10 and previous releases of MyBB 1.2. Older versions of MyBB may also be affected

MyBB 1.2.10 to MyBB 1.2.11 Patch
This patch is only for users running MyBB 1.2.10. If you are running any other version of the MyBB 1.2 series then please download MyBB 1.2.11 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.

[attachment=8398]

If you wish to manually patch your board please download "mybb_1211_patches.txt" and follow the instructions in that file.

[attachment=8399]

For the upgrade of 1.2.10 to 1.2.11, the upgrader is NOT required -- just replace the files (or modify them as per the manual patch instructions) and you will be set.

Want us to patch your installation?
Due to the severe nature of these vulnerabilities, we urge all users to upgrade their forums as soon as they read this message.

If you're unsure of how, don't have the time or need assistance patching your board then please contact one of the staff mentioned below. We'll patch your board for you as soon as we can.

Note: This is only for patching your board for this vulnerability. We cannot upgrade your forums from other major releases. We also require your FTP/server details to perform the upload.

Staff performing upgrades:

Chris Boulton

Reporting MyBB security vulnerabilities
If you think you've found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we've had time to prepare and release patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

More...

**Belloman** · 01-09-2008, 02:37 AM

Upgraded from 1.2.9 (

) without a problem... just had to reapply my template conditionals mod...

**Jon** · 01-09-2008, 06:23 AM

Good thing I caught this when I did. Thanks MyBB team.

01-08-2008, 12:22 PM	#1
Industry News Forum Guru Join Date: Sep 2005 Posts: 8,309	[MyBB News] MyBB 1.2.11 Released - IMPORTANT Security Update MyBB 1.2.11 is a security update to the MyBB 1.2 series. It fixes two HIGH risk security vulnerabilities and a few low risk vulnerabilities reported in MyBB earlier today. We recommend everybody upgrades to this release immediately or patches their boards with the manual patching instructions below. Both high risk vulnerabilities have been observed to have been used and exploited by malicious users already. This security update fixes: [HIGH RISK] Remote execution vulnerability in forumdisplay.php allowing arbitrary file system access and code execution. [HIGH RISK] Remote execution vulnerability in search.php allowing arbitrary file system access and code execution. [LOW RISK] SQL injection via moderation features. (Note: This requires the attacker have a moderator account) [LOW RISK] SQL injection via the Admin CP and approve join requests feature. (Note: This requires the attacker have an administrator account) Thank you to both koziolek and waraxe for reporting these vulnerabilities. These vulnerabilities affect MyBB 1.2.10 and previous releases of MyBB 1.2. Older versions of MyBB may also be affected MyBB 1.2.10 to MyBB 1.2.11 Patch This patch is only for users running MyBB 1.2.10. If you are running any other version of the MyBB 1.2 series then please download MyBB 1.2.11 from the MyBB site and update to it. Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive. [attachment=8398] If you wish to manually patch your board please download "mybb_1211_patches.txt" and follow the instructions in that file. [attachment=8399] For the upgrade of 1.2.10 to 1.2.11, the upgrader is NOT required -- just replace the files (or modify them as per the manual patch instructions) and you will be set. Want us to patch your installation? Due to the severe nature of these vulnerabilities, we urge all users to upgrade their forums as soon as they read this message. If you're unsure of how, don't have the time or need assistance patching your board then please contact one of the staff mentioned below. We'll patch your board for you as soon as we can. Note: This is only for patching your board for this vulnerability. We cannot upgrade your forums from other major releases. We also require your FTP/server details to perform the upload. Staff performing upgrades: Chris Boulton Reporting MyBB security vulnerabilities If you think you've found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we've had time to prepare and release patch. As always, you can send through security related messages on the MyBB website from the Contact Us page. More...

01-09-2008, 02:37 AM	#2
Belloman Apprentice Join Date: May 2006 Location: Central Ohio, USA Posts: 431	Upgraded from 1.2.9 () without a problem... just had to reapply my template conditionals mod... __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Justin S. / MyBB Wiki Lead / To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

01-09-2008, 06:23 AM	#3
Jon Member Join Date: Apr 2006 Location: California Posts: 128	Good thing I caught this when I did. Thanks MyBB team. __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[MyBB News] MyBB 1.2.10 Security Update	Industry News	Other Software	0	12-29-2007 11:30 PM
[MyBB News] MyBB Merge System 1.0 RC1 Released	Industry News	Other Software	4	12-17-2007 08:42 PM
[MyBB News] MyBB 1.2.10 Released - Maintenance Release	Industry News	Other Software	1	12-01-2007 05:49 PM
[MyBB News] MyBB 1.2.8 Released - Security & Maintenance Release	Industry News	Other Software	0	06-29-2007 10:54 AM
[MyBB News] MyBB 1.2.4 Released - Important Security Update	Industry News	Other Software	2	04-04-2007 11:38 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)