MyBB 1.6.5

Contents

MyBB 1.6.5 was released November 25, 2011.

1.6.5 is a medium-sized security, maintenance and feature upgrade for the 1.6 series. There are several new changes in this version which can help you find Spam users on your forum. These are explained below.

1.6.5 fixes 3 vulnerabilities. These are:

Non-Critical

  • An issue with an unparsed user avatar in the buddy list - reported by labrocca
  • Potential XSS vulnerability with validating usernames via AJAX - reported by Will G

These are rated as non-critical due to their obscure methods of execution.

Low Risk

In 1.6.4, a change was made to the templates system that denied the use of the $config data array. This has been changed so that only the database password cannot be accessed.

Feature updates can be small or large changes to the way MyBB features work. The following changes have been made in 1.6.5.

  • Birthdays
There are 2 new settings that affect Birthdays. In the Forum Home settings, 'Only Show Birthdays with x Posts' allows you to limit users with a certain post count appearing in the birthday list on the forum index. This is a global setting that affects all users. In the usergroup settings, under the Miscellaneous tab, 'Can be shown in the birthday list?' can toggle whether users in the usergroup will appear in the birthday list on the forum index.
  • Signature Control
There are 3 new settings that affect Signatures - all are usergroup settings. Under the Users and Permissions tab, 'Can add a signature' and 'Required Post Count Before Signature Can Be Added' limits if and when the user can add a signature. 'Signature links have nofollow enabled?' will automatically make links posted in a signature a nofollow link.
  • Find Users
There are some changes to the Admin Control Panel (ACP) Users & Groups Find Users panel. Previously you had to enter text in a field to search for. Now you can search for fields that are not empty - for example, if they anything set for that field. This will allow you to search for users that have added a website, set a signature or updated their Bio - traditional traits of a spammer - from inside the ACP without having to enter something specific. There is also a new field - 'Registered in the last x days'. This will limit the search for users that have registered in a given time frame.
  • Custom Profile Fields
Within custom profile fields, there is now a new option to set a minimum post count. Only users with a certain amount of posts will be able to complete these fields.
  • Hidden CAPTCHA
It is now possible to use a hidden CAPTCHA, a 'honeypot' field that typically only spam bots will fill in, that can be configured from the ACP. Under the User Registration and Profile Options settings, the 'Display a hidden CAPTCHA' setting will turn this on or off (off by default), and the 'Hidden CAPTCHA field' setting will be the name of this field in the registration form. If this field is filled in, the registration will be denied.
  • reCAPTCHA
The ability to choose between the MyBB CAPTCHA or reCAPTCHA was added in 1.6.5. In the General Configuration settings, you can choose reCAPTCHA from the 'CAPTCHA Images for Registration & Posting' setting. Please note that to use reCAPTCHA you must have a public and private key. You can get these by creating an account on the reCAPTCHA website. Please note that if you use reCAPTCHA and have guest posting turned on, a guest must enter the challenge when they preview a post too.
  • Reputation
From 1.6.5, you can now disable negative and/or neutral and/or postitive reputation. You can configure these in the Reputation settings. Please note that if you have no reputation options available, the reputation system will be disabled.

Work is continuing on the Spam Ninja plugin, which lets you manage spam on your forum much more effectively. This will be coming in the near future.

  • PM Override
A new usergroup setting was added that enables the group to be able to send a PM to a user even if the recipients have them disabled. You can find this under the Users & Permissions tab when editing a usergroup.
  • Parent Forum Lightbulbs
An experimental setting was added into 1.6.5 that attempts to mark parent forums as read if there are no more unread posts in a subforum. It's experimental because it could cause additional load on your forum if you have many subforums or is actively busy. Give it a try by switching it on in the Forum Display Configuration options and let us know how it goes in the 1.6 Suggestions and Feedback forum.

The following files have changed since 1.6.4.

  • admin
    • inc
      • class_form.php
      • class_page.php
      • functions.php
    • jscripts
      • quick_perm_editor.js
    • modules
      • config
        • banning.php
        • module_meta.php
        • profile_fields.php
        • settings.php
      • forum
        • management.php
        • module_meta.php
      • home
        • index.php
        • credits.php
        • module_meta.php
      • style
        • module_meta.php
      • tools
        • adminlog.php
        • module_meta.php
        • system_health.php
        • tasks.php
      • user
        • groups.php
        • module_meta.php
        • users.php
    • styles
      • sharepoint
        • style.php
    • index.php
  • inc
    • datahandlers
      • event.php
      • pm.php
      • post.php
      • user.php
    • languages
      • english
        • admin
          • config_banning.lang.php
          • config_languages.lang.php
          • config_profile_fields.lang.php
          • config_settings.lang.php
          • forum_management.lang.php
          • global.lang.php
          • style_themes.lang.php
          • tools_adminlog.php
          • tools_maillogs.php
          • tools_modlog.lang.php
          • user_group_promotions.lang.php
          • user_groups.lang.php
          • user_mass_mail.lang.php
          • user_users.lang.php
        • akismet.lang.php
        • calendar.lang.php
        • global.lang.php
        • member.lang.php
        • memberlist.lang.php
        • modcp.lang.php
        • moderation.lang.php
        • newreply.lang.php
        • newthread.lang.php
        • online.lang.php
        • private.lang.php
        • reputation.lang.php
        • usercp.lang.php
        • warnings.lang.php
      • english.php
    • class_captcha.php
    • class_core.php
    • class_custommoderation.php
    • class_mailhandler.php
    • class_moderation.php
    • class_parser.php
    • class_plugins.php
    • functions.php
    • functions_forumlist.php
    • functions_image.php
    • functions_indicators.php
    • functions_online.php
    • functions_post.php
    • functions_posting.php
    • functions_upload.php
    • functions_user.php
  • install
    • resources
      • upgrade21.php
  • jscripts
    • editor.js
    • inline_moderation.js
    • thread.js
  • announcements.php
  • captcha.php
  • editpost.php
  • forumdisplay.php
  • global.php
  • index.php
  • member.php
  • memberlist.php
  • misc.php
  • modcp.php
  • moderation.php
  • newreply.php
  • newthread.php
  • online.php
  • polls.php
  • ratethread.php
  • reputation.php
  • showteam.php
  • showthread.php
  • usercp.php
  • warnings.php
  • xmlhttp.php

Red represents files that contain security updates
Green represents new files added in this release

The following language files have had changes made to them. Use a file difference tool to cross reference.

  • admin
    • config_banning.lang.php
    • config_languages.lang.php
    • config_profile_fields.lang.php
    • config_settings.lang.php
    • forum_management.lang.php
    • global.lang.php
    • style_themes.lang.php
    • tools_adminlog.php
    • tools_maillogs.php
    • tools_modlog.lang.php
    • user_group_promotions.lang.php
    • user_groups.lang.php
    • user_mass_mail.lang.php
    • user_users.lang.php
  • akismet.lang.php
  • calendar.lang.php
  • global.lang.php
  • member.lang.php
  • memberlist.lang.php
  • modcp.lang.php
  • moderation.lang.php
  • newreply.lang.php
  • newthread.lang.php
  • online.lang.php
  • private.lang.php
  • reputation.lang.php
  • usercp.lang.php
  • warnings.lang.php


Changes from Issue 1373: If you're using any of the following hooks in your plugins, you need to make sure you're returning the variable passed to it, as in 1.6.5 these were all switched from using $plugins->run_hooks_by_ref("func" $var) to $var = $plugins->run_hooks("func", $var) as passing by reference is now deprecated in PHP.

  • admin_config_menu
  • admin_config_action_handler
  • admin_config_permissions
  • admin_home_menu
  • admin_home_action_handler
  • admin_home_menu_quick_access
  • admin_user_menu
  • admin_user_action_handler
  • admin_user_permissions
  • admin_user_groups_edit_graph_tabs
  • admin_forum_management_permission_groups
  • admin_forum_menu
  • admin_forum_action_handler
  • admin_forum_permissions
  • admin_tools_menu
  • admin_tools_action_handler
  • admin_tools_menu_logs
  • admin_tools_get_admin_log_action
  • admin_tools_permissions
  • admin_style_menu
  • admin_style_action_handler
  • admin_style_permissions
  • admin_page_output_nav_tabs_start
  • admin_page_output_tab_control_start
  • admin_page_output_nav_tabs_start
  • admin_form_output_submit_wrapper
  • admin_formcontainer_output_row
  • admin_tabs
  • upload_avatar_end
  • upload_attachment_do_insert
  • upload_file_end
  • my_date
  • error
  • redirect
  • mycode_add_codebuttons
  • functions_fetch_ban_times
  • fetch_wol_activity_end
  • build_friendly_wol_location_end
  • parse_quoted_message
  • postbit_prev
  • postbit_pm
  • postbit_announcement
  • postbit
  • build_forumbits_forum
  • class_moderation_delete_post_start


The following hooks are using the new version of $plugins->run_hooks_by_ref(), which instead of passing by ref, requires that you receive by ref.

  • admin_form_end
  • datahandler_event_validate
  • datahandler_event_insert
  • datahandler_event_update
  • datahandler_user_validate
  • datahandler_user_insert
  • datahandler_user_update
  • datahandler_pm_validate
  • datahandler_pm_insert_updatedraft
  • datahandler_pm_insert
  • datahandler_pm_insert_savedcopy
  • datahandler_post_validate_post
  • datahandler_post_insert_post
  • datahandler_post_validate_thread
  • datahandler_post_insert_thread
  • datahandler_post_insert_thread_post
  • datahandler_post_insert_thread
  • datahandler_post_update_thread
  • datahandler_post_update


If you're using this hook: send_mail_queue_mail You will need to find an alternate solution since it is removed as of 1.6.5

Changes from Issue 1727: In addition to these changes, we've added new code to make the memberlist_user hook more functional. You can unset $user['username'] in order to force a user to be skipped from the code block below the hook. This also means you can edit any element or add/remove elements from the $user array as well.

The last change for plugin hooks in 1.6.5 is with the admin_formcontainer_end hook. We no longer pass $return as the argument, which never did anything anyways, instead we pass $hook, which is the following array: $hook = array( "return" => &$return, "this" => &$this ) Which, since the array is attached by ref, will allow you to edit either element in the array and have your edits work inside the code beyond the hook.

Due to a plugin that was already receiving by reference Stefan discovered you can use the receive by reference method for either of the plugin type changes. It was not intended functionality, but does make authoring/updating plugins much simpler.

MyBB Versions
2.0.x
In Planning/Early Development
1.8.x
In Development
1.6.x
1.4.x 1.4.16 - 1.4.15 - 1.4.14 - 1.4.13 - 1.4.12 - 1.4.11 - 1.4.10 - 1.4.9 - 1.4.8 - 1.4.7 - 1.4.6 - 1.4.5 - 1.4.4 - 1.4.3 - 1.4.2 - 1.4.1 - 1.4.0
1.2.x 1.2.14 - 1.2.13 - 1.2.12 - 1.2.11 - 1.2.10 - 1.2.9 - 1.2.8 - 1.2.7 - 1.2.6 - 1.2.5 - 1.2.4 - 1.2.3 - 1.2.2 - 1.2.1 - 1.2.0
1.1.x / 1.0x 1.1.8 - 1.1.7 - 1.1.6 - 1.1.5 - 1.1.4 - 1.1.3 - 1.1.2 - 1.1.1 - 1.1.0 - 1.04 - 1.03 - 1.02 - 1.01 - 1.00
Pre-1.0 PR2 - PR1 - RC4 - RC3 - RC2 - RC1 - Beta 4 - DevBB
Legend In Planning Development / Beta / Private Latest Public Release