=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN334
_____________________________________________________________________

DATE                      : 14/06/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running MyBB versions prior to 1.1.3.

======================================================================


MyBB 1.1.3 is a security update to the MyBB 1.x series. It fixes a moderate risk
cross site scripting vulnerability and a moderate-high risk PHP injection
vulnerability affecting all versions of MyBB (1.0 RC, 1.0 Final, 1.1 series).

We recommend all users upgrade their copy of MyBB to the latest availablerelease.

Fixed vulnerabilities:

     * Potential cross site scripting with unsanitized input variable in
private.php (D3vil-0x1)
     * Potential PHP arbitrary code executation vulerability with post parser
(Secunia)


The release on the MyBB site has also been updated to 1.1.3.

Update instructions are in the next post, including a list of changed files (and
a ZIP archive of them) as well as manual patching instructions for those of you
who have customized their code.

Regarding MyBB 1.2
Development is still continuing. Myself (and other developers) are currently
unable to be as active as we'd like to beat the moment due to being in major
assessment and examination periods.

The beta testing phase will soon begin and users will be contacted to test this
upcoming release. (Please do not request to become a tester - we chose you based
on your experience and community participation)

Regards,
MyBB Group Chris Boulton

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================