========================== ========================== =================== CERT-Renater Note d'Information No. 2013/VULN452 _____________________________________________________________________ DATE : 10/10/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running MyBB version prior to 1.6.11. ========================== ========================== ==================== http://blog.mybb.com/2013/10/08/mybb-1-6-11-released-security-maintenance= -release/ ______________________________________________________________________ MyBB 1.6.11 Released – Security & Maintenance Release Posted on October 8, 2013 by Nathan Malcolm MyBB 1.6.11 is now available from the MyBB website and is a security and maintenance release. Important Security Patches It was reported to us by Philly that a user was able to register on his forum with three ‘emoji’ characters which led to the user= becoming “unregistered”. After looking in to this issue we discove= red it was more complex than originally thought. The technical explanation is MySQL’s UTF8 implementation only sup= ports up to 3 bytes per character. When someone tries to insert a string containing a 4 byte utf8 character in to the database, MySQL truncates the string immediately before the 4 byte character. Not only does this affect security, it affects the user’s experience as half their p= ost or private message could be lost without them knowing why. The vulnerability was exploited by a user registering on a forum with a username consisting of only 4 byte UTF8 characters. As I explained before, MySQL truncates the string before the first occurrence of a 4 byte UTF8 character which led to the username column becoming empty. When someone sent a PM it would be automatically sent to the nameless user and they would be able to read it. This security issue affects MySQL databases with a utf8_general_ci collation (This may also affect utf8_unicode_ci collations too). If you’re using a SQLite or PostgreSQL database you’re not a= ffected by this. What’s added/changed in this version? This release fixes 5 vulnerabilities and over 65 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version. Vulnerabilities: High Risk: Authorization bypass vulnerability within the PM system – reported by Philly Medium Risk: Accounts without login keys could be hijacked = reported by StefanT Low Risk: Weakness within the generate_post_check() function = reported by Nathan Malcolm Low Risk: Anonymous statistics may not always be anonymous = reported by Nathan Malcolm Low Risk: Database backups are exposed in logs – reported= by Nathan Malcolm Fixed issues in 1.6.11 Unfixed issues Please view the 1.6.11 changes on the Docs site for more information about the changes in this version. Upgrading from 1.6.10 and Other Versions Before performing any upgrade please remember to backup your forum’= s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete. To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 4 language files. 5 templates have been changed or added. If you’re using MyBB 1.6.10 Download and use the Changed Files Package (MD5: 918be9675d3d50c63bfe4c6cbf17fd0f) Follow the Docs Upgrading Instructions If you’re using MyBB 1.6.9 or lower Download and use the full 1.6.11 Release Package (MD5: 918be9675d3d50c63bfe4c6cbf17fd0f) Follow the Docs Upgrading Instructions Reporting MyBB security vulnerabilities If you think you’ve found a vulnerability in MyBB, we advise you = not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.= As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum = where you can start a new thread that only you and the MyBB Team can see. Thanks, MyBB Team ========================== ========================== ======= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================== ========================== ======== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ========================== ========================== ========