MyBB 1.6.6

Contents

MyBB 1.6.6 was released on February 10th, 2012.

MyBB 1.6.6 is a security release for the 1.6 series. It fixes 1 major issue and 14 low-risk vulnerabilities.

Non-Critical

  • Ability to import a non-CSS stylesheet
When uploading a theme, the filename of the stylesheet is not checked to see if it is CSS. Only CSS files can be added with a theme.

Low Risk

  • CSRF vulnerability on Admin CP logout Issue #1769
  • CSRF vulnerability when clearing a stored password Issue #1824
  • CSRF vulnerability when removing a buddy Issue #1825
  • CSRF vulnerability with Admin CP join requests Issue #1834
  • CSRF vulnerability in ACP Group Promotions Enable/Disable
  • CSRF vulnerability in ACP Edit User (ability to change an avatar without permissions)
  • CSRF vulnerability in ACP when activating a user
  • XSS vulnerability when moving an event (Calendar)
  • XSS vulnerabilities in the Akismet plugin
  • XSS vulnerabilities in User CP Forum Subscriptions
  • XSS vulnerability in Mod CP Moderator Logs
  • XSS vulnerability in Edit Post (attachments)
  • XSS vulnerability in Mod CP Edit Announcement

These vulnerabilities are exposed either as an unsanitized variable used in the templates/output or attempting to prompt an Administrator into performing actions they never intended to do. With thanks to Nathan Malcolm of our SQA team for finding these vulnerabilities.

In MyBB 1.6.5, announcements in forums and sub-forums will disappear (see Issue #1781 and Issue #1785). MyBB 1.6.6 should fix this problem.

The following files have changed since MyBB 1.6.5.

  • admin
    • inc
      • class_page.php
      • functions_themes.php
    • modules
      • home
        • credits.php
      • tools
        • modlog.php
      • user
        • group_promotions.php
        • groups.php
        • users.php
    • index.php
  • inc
    • languages
      • english
        • admin
          • user_group_promotions.lang.php
      • english.php
    • plugins
      • akismet.php
    • class_core.php
  • install
    • resources
      • mybb_theme.xml
      • upgrade22.php
  • calendar.php
  • editpost.php
  • forumdisplay.php
  • misc.php
  • modcp.php
  • newreply.php
  • newthread.php
  • usercp.php

Red represents files that contain security updates
Green represents new files added in this release

There are changes to 1 language file.

  • admin/user_group_promotions.lang.php

There are changes to 1 template.

  • forumdisplay_threadlist_clearpass

MyBB Versions
2.0.x
In Planning/Early Development
1.8.x
In Development
1.6.x
1.4.x 1.4.16 - 1.4.15 - 1.4.14 - 1.4.13 - 1.4.12 - 1.4.11 - 1.4.10 - 1.4.9 - 1.4.8 - 1.4.7 - 1.4.6 - 1.4.5 - 1.4.4 - 1.4.3 - 1.4.2 - 1.4.1 - 1.4.0
1.2.x 1.2.14 - 1.2.13 - 1.2.12 - 1.2.11 - 1.2.10 - 1.2.9 - 1.2.8 - 1.2.7 - 1.2.6 - 1.2.5 - 1.2.4 - 1.2.3 - 1.2.2 - 1.2.1 - 1.2.0
1.1.x / 1.0x 1.1.8 - 1.1.7 - 1.1.6 - 1.1.5 - 1.1.4 - 1.1.3 - 1.1.2 - 1.1.1 - 1.1.0 - 1.04 - 1.03 - 1.02 - 1.01 - 1.00
Pre-1.0 PR2 - PR1 - RC4 - RC3 - RC2 - RC1 - Beta 4 - DevBB
Legend In Planning Development / Beta / Private Latest Public Release