===================================================================== CERT-Renater Note d'Information No. 2010/VULN557 _____________________________________________________________________ DATE : 20/12/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running MyBB versions prior to 1.6.1, up to and including 1.4.14. ====================================================================== http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-14-update/ ______________________________________________________________________ MyBB 1.6.1 Release & 1.4.14 Update MyBB 1.6.1 is now available on the MyBB website and is a security and maintenance update to the MyBB 1.6 series. A patch has also been made available to provide the security updates for the MyBB 1.4 series. This release is to ensure that all users on MyBB 1.6 have the latest fixes, and to patch two medium-risk security issues within MyBB. This release fixes several reported issues since the release of 1.6.0, which caused some incorrect functionality of MyBB. These bugs have been fixed to provide a more stable version of MyBB for public use. What’s fixed in this version? * Two XSS Vulnerabilities in editpost.php, member.php and newreply.php – Thank you to YGN Ethical Hacker Group for alerting us of these issues. * 90+ bug fixes (view all) This release has been tested by our Software Quality Assurance group. The following files were changed since the initial MyBB 1.6 release: * calendar.php * editpost.php * forumdisplay.php * member.php * misc.php * modcp.php * moderation.php * newreply.php * newthread.php * polls.php * portal.php * printthread.php * private.php * reputation.php * showthread.php * usercp.php * xmlhttp.php * admin o inc + class_page.php + functions.php + functions_view_manager.php o jscripts + codepress # languages * css.css + imodal.js o modules + config # badwords.php # banning.php # calendar.php # help_documents.php + forum # announcements.php # management.php + home # credits.php # preferences.php + style # templates.php # themes.php + tools # recount_rebuild.php + user # groups.php # users.php + styles # sharepoint * avatar_gallery.css * inc o datahandlers + post.php + user.php o languages + english # admin * config_badwords.lang.php * forum_management.lang.php * tools_recount_rebuild.lang.php * tools_statistics.lang.php # moderation.lang.php # portal.lang.php # reputation.lang.php # usercp.lang.php # xmlhttp.lang.php + english.php o tasks + delayedmoderation.php + promotions.php + userpruning.php o class_core.php o class_custommoderation.php o class_datacache.php o class_moderation.php o class_parser.php o functions.php o functions_forumlist.php o functions_indicators.php o functions_online.php o functions_post.php o functions_search.php o functions_user.php * install o resources + mybb_theme.xml + settings.xml + upgrade17.php + upgrade18.php o index.php * jscripts o editor.js * Red represents files that contain security updates * Green represents new files added in this release MyBB 1.6.0 to MyBB 1.6.1 Security Patch This patch is only for users running MyBB 1.6.0. If you are running an older version of MyBB then please download MyBB 1.6.0 from the MyBB site and update to it using the general [Wiki: Upgrading] guide. If you wish to manually patch your board please download “mybb_1600_patches.txt” and follow the instructions in that file. mybb_1600_patches.txt The manual patch set instructions only fixes the security vulnerabilities and is only made available to temporarily secure your forum until you have time to run the complete upgrade. MyBB 1.6.0 to MyBB 1.6.1 Full Upgrade When upgrading from 1.6.0, you will not lose any custom themes, plugins or language packs which you may have installed. Follow the general [Wiki: Upgrading] guide outlined on the MyBB Wiki to complete the upgrade process. You may download a ZIP archive of changed files here: changed_files_1601.zip Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive. This update does require running the upgrader. There are database schema, language string, or template changes in this version. You must then check for modified templates using the instructions below. Theme and template changes Using the “Find Updated” link under the “Templates” page in the Admin CP you can find a list of the templates that have changed in this release that you’ve got one or more custom copies of. After identifying changed templates using the tool you can either revert your custom template to the default (delete it) or use the “diff” tool to perform a difference analysis on your custom template and the default. “Revert required” indicates that for this template to work correctly with MyBB 1.6.1 you’ll either need to revert it to the default or modify your custom template to include the changes in the default. If a revert is not required your custom version of the template should work perfectly fine. Template changes Since MyBB 1.6.0 the following templates have had changes to them: * portal_latestthreads_thread * showthread_poll_option_multiple * usercp_nav_misc * Red represents the template must be updated or reverted to fix security problems Language file changes Since MyBB 1.6.0 the following language files have had changes to them: * moderation.lang.php * portal.lang.php * reputation.lang.php * usercp.lang.php * xmlhttp.php * admin o config_badwords.lang.php o forum_management.lang.php o tools_recount_rebuild.lang.php o tools_statistics.lang.php Either update your language packs to include the changes in these files or revert to the standard English language pack. MyBB 1.4.14 Update MyBB 1.4.14 was released on August 3rd 2010 to provide full PHP 5.3 functionality as well as improved attachment management. If you’re still using 1.4.13, it is recommended to upgrade to 1.4.14. You can do this by following the instructions in the MyBB 1.4.14 Release Announcement. The changed files package has been updated with the latest security fixes. Please note all users of the 1.4.x series are urged to upgrade to the latest release of MyBB (1.6.1). This patch is only for users running MyBB 1.4.14 or any previous release of the MyBB 1.4 series. Please download “mybb_1414_patches.txt” below and follow the manual patching instructions. mybb_1414_patches.txt Reporting MyBB security vulnerabilities If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch. As always, you can send through security related messages on the MyBB website from the Contact Us page. Thank you, MyBB Team ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================