Hosting MyBB

1.8.21
 (security release)
11 June - 15MBThis is a security and maintenance release for MyBB.



Security

HIGH RISK: Theme import stylesheet name RCE. Reported by Simon Scannell and Robin Peraglie RIPS Technologies.

HIGH RISK: Nested video MyCode persistent XSS. Reported by Simon Scannell and Robin Peraglie RIPS Technologies.

MEDIUM RISK: Find Orphaned Attachments reflected XSS. Reported by Simon Scannell RIPS Technologies.

MEDIUM RISK: Post edit reflected XSS. Reported by adm1nkyj ENKI.

MEDIUM RISK: Private Messaging folders SQL injection. Reported by Alex DiscoveryGC.

LOW RISK: Potential phar deserialization through Upload Path. Reported by Simon Scannell RIPS Technologies.



Bug Fixes

#3696 header_welcomeblock_member_buddy template is not cached

#3693 email insert doesn't work in source mode

#3691 Quote disappears in source mode

#3681 RSS Syndication : Bugs & Improvements

#3680 New hook on recount_rebuild

#3679 Language: use horizontal ellipsis instead of three dots or two dots

#3678 Unique check for per_page on recount_rebuild

#3676 SQL Error When Viewing Unread PMs

#3666 PM search - incorrect folder

#3663 Moved thread link name not changing properly

#3657 Missing CSS-class in referral modal

#3656 SQL Error on Post Update With Removed Attachment

#3651 Recount & Rebuild JS redirect is broken

#3647 Incompatible arguments of DB_Base::modify_column() and DB_Base::rename_column() implementations

#3640 Upgrade jQuery to latest (3.3.1) & related js updates

#3636 JS error - modal template in headerinclude

#3634 Empty folders - message count of unread instead of inbox

#3627 Admin Edit User - Missing external URL

#3625 PHP 7 compatibility - functions_calendar.php

#3614 Posting Limits and Post Moderation

#3613 Clear select2

#3611 Change Usergroup & Hidden Theme Interfering

#3610 BugDoc - Please fix documentation for Attachment Type

#3609 Fulltext Search and Stopwords

#3608 Inconsistent error message

#3604 class_stopforumspamchecker.php uses old API call url

#3601 AdminCP "Report Reasons" not updating cache on `disporder` change

#3598 1.8.20 - unread PMs - pagination

#3596 separator on index page

#3593 Actions on ACP's Awaiting Activation page with no users selected result in PHP Warning

#3591 1.8.20 sceditor font-size change bug

#3590 Empty index operator used on $errors string in Mod CP results in Fatal error with PHP 7.1

#3588 1.8.20 Editor Center issue

#3587 Templates Not Cached at Startup (`global_modqueue` & `global_modqueue_notice`)

#3575 Parser auto link breaks `ftp://` protocol URLs

#3520 Invisible Recaptcha - PW Reset Error

#3383 unable to add images to register questions

#2754 $sourcemode causes page to scroll to editor textarea when set to true via usercp.

#2542 Update SCEditor

Read more: https://mybb.com/versions/1.8.21/






1.8.20
 (security release)
4 March - 15MBThis is a security and maintenance release for MyBB.



Security

Medium risk: Reset Password reflected XSS

Medium risk: ModCP Profile Editor username reflected XSS — reported by Jovan Zivanovic of MaTRIS Research Group, SBA Research

Low risk: Predictable CSRF token for guest users — reported by Devilshakerz of MyBB Team

Low risk: ACP Stylesheet Properties XSS — reported by Cillian Collins

Low risk: Reset Password username enumeration via email — reported by Abdullah Md. Shaleh



Bug Fixes

#3583 MyBB 1.8.20 Editor Is Too Small

#3580 Oversensitive Word Filter

#3578 Threads Awaiting Moderation text overflow and no BBCode parsing

#3556 AJAX removal of attachment is not working

#3554 Smilie select is not working

#3553 Typo when a thread is waiting for approval

#3549 Incorrect "continue" usage in WarningsHandler

#3547 Remove attachments via AJAX

#3546 Consistent JS dialogs and popups

#3545 Upgrade jQuery to jQuery 3.0.0

#3543 UCP - Edit options - lang typo - missing dot

#3538 Member Profiles have Send Email link

#3533 UCP - Forum subscription - change align

#3514 Show only unread private messages

#3512 Forum Team Link should be available globally

#3506 "showthread_printthread" template not cached

#3504 ModCP warninglogs pagination issue

#3501 Lang typos in user_users and moderation lang files

#3486 Missing Moderation Notices

#3483 Add 'exact' option to memberlist username search

#3477 Improve error log details

#3476 Version check does not work

#3473 "index_showteamlink" template not preloaded

#3471 `check_thumbnail_memory` assumes `memory_limit` INI setting always has suffix

#3468 Page Change in Managegroup causes "Division by zero" Error

#3467 css.php - multiple queries

#3461 Bad word filters with 'escaped' parenthesis cause errors as of 1.8.18

#3459 Search feature improvements

#3457 User CP - "lock" folder & folder icon needs to be corrected to "close" icon

#3453 language editor count() warnings on php 7.2

#3449 Add The Ability To View User Referrals To Member Profile

#3443 MyBB ACP - Latest announcements scraping wrong and repeated content

#3441 ACP: Add Hooks To The User Edit Page To Allow Customization

#3436 Resend email verification missing captcha

#3430 ACP settings search option - hardcoded only for english language.

#3419 Thread and posts should not be hidden from the OP when approval is required!

#3417 Last Active shown for hidden users

#3403 New plugin hook in User CP

#3291 Issue with Thread Prefix

#3241 .prop('checked') doesn't trigger change events

#2020 Referrals Are Lost on Account Merge

#1201 Problem clicking links within AdminCP Template-Sets

Read more: https://mybb.com/versions/1.8.20/






1.8.19

18 September 2018 - 15MBThis is a security and maintenance release for MyBB.



Security

High risk: Email field SQL Injection — reported by StefanT

Medium risk: Video MyCode Persistent XSS in Visual Editor — reported by Numan OZDEMIR of InfinitumIT

Low risk: Insufficient permission check in User CP's attachment management — reported by StefanT

Low risk: Insufficient email address verification — reported by StefanT



Bug Fixes

#3429 All smilies should be shown on the full list

#3428 Missing database inserts for engines other than MySQL

#3415 Quick reply auto-subscribes users

#3412 Inconsistent Styling of Restore Button

#3410 Undefined/null values can be passed to my_hash_equals() on forum password check

#3409 my_hash_equals() definition can be missing when evoking for password-protected forums

#3397 Custom Profile Fields - Certain characters not escaped

#3393 grammar issue in upgrade script

Read more: https://mybb.com/versions/1.8.19/






1.8.18
 (security release)
29 August 2018 - 15MB1.8.18



This is a security and maintenance release for MyBB.



Security

Image MyCode "alt" attribute persistent XSS

RSS Atom 1.0 item title persistent XSS



Bug Fixes

plus 30 bugs fixed



1.8.17



Bug Fixes

fixed bugs that prevented login to administration



1.8.16



This is a security and maintenance release for MyBB.



Security

Image & URL MyCode Persistent XSS

Multipage Reflected XSS

ACP logs XSS

Arbitrary file deletion via ACP's Settings



Bug Fixes

plus 66 bugs fixed

Read more: https://mybb.com/versions/1.8.18/



display more versions




1.8.15
 (security release)
18 March 2018 - 15MBSecurity

Medium risk: Tasks Local File Inclusion

Medium risk: Forum Password Check Bypass

Low risk: Admin Permissions Group Title XSS

Low risk: Attachment types file extension XSS

Low risk: Moderator Tools XSS

Low risk: Security Questions XSS

Low risk: Settings Management XSS

Low risk: Templates Set Name XSS

Low risk: Usergroup Promotions XSS

Low risk: Warning Types XSS

Read more: https://mybb.com/versions/1.8.15/






1.8.14
 (security release)
28 November 2017 - 15MBSecurity

High risk: Language file headers RCE — reported by Julian Rittweger

Low risk: Language Pack Properties XSS — reported by Julian Rittweger

Read more: https://mybb.com/versions/1.8.14/






1.8.13
 (security release)
20 November 2017 - 15MBThis release fixes 7 security vulnerabilities and 62 reported issues causing incorrect functionality of MyBB.



Security

Installer RCE on configuration file write

Language file headers RCE

Installer XSS

Mod CP Edit Profile XSS

Insufficient moderator permission check in delayed moderation tools

Announcements HTML filter bypass

Language Pack Properties XSS

Read more: https://mybb.com/versions/1.8.13/






1.8.12
 (security release)
22 May 2017 - 15MBThis release fixes 3 security vulnerabilities and 14 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Insufficient permission check in multiquote feature – reported by frostschutz

Medium risk: CSV macro injection on PM export – reported by Rico A. Silvallana

Low risk: Weak password reset codes & false positives – reported by Devilshakerz



Bugs fixed

Redundant  tag in moderation_inline_mergeposts template 1.8 bug s:fixed

Missing closing  tags 1.8 bug s:fixed

Issues with the IM center pop-up 1.8 bug p:normal s:fixed

DB_PgSQL::show_create_table() doesn't list unique keys 1.8 bug pgsql s:fixed

Custom MyCode 1.8 bug s:fixed

Merge hook not working correctly 1.8 bug p:normal s:fixed

Hover on Relative time to Show Exact date/time 1.8 enhancement p:low s:fixed

CURLOPT constants inconsistencies 1.8 bug s:fixed

gethostbynamel() and dns_get_record() may issue unhandled warnings 1.8 bug s:fixed

Upgrade script final step shows invalid title 1.8 bug p:low s:fixed

Short array syntax in fetch_remote_file() raises Parse error on PHP < 5.4 1.8 bug s:fixed

Updation of "What is RSS?" link to https 1.8 enhancement s:fixed

Incorrect post-login redirect URL on private networks and localhost 1.8 bug s:fixed

RSS limit doesn't work in the generated URL - always 15 1.8 bug p:normal s:fixed

Read more: https://blog.mybb.com/2017/05/22/mybb-1-8-12-released-security-maintenance-release/






1.8.11
 (security release)
23 April 2017 - 15MBThis release fixes 3 security vulnerabilities and 32 reported issues causing incorrect functionality of MyBB.



Security

High risk: XSS Injection in Email MyCode – reported by Zhiyang Zeng of Tencent security platform department

Medium risk: SSRF protection can be bypassed – reported by Orange Tsai of DEVCORE and Jasveer Singh of SEC Consult Vulnerability Lab

Low risk: Directory Traversal in smilie module – reported by Zhiyang Zeng of Tencent security platform department



Bugs fixed

Bug: mybbuser cookie is set without httponly when changing password

Enhancement: Mod CP - missing plugin hooks

Bug: Issues with Admin Logging and email pruning

Bug: orphaned variable

Enhancement: Add new hook in User CP's Change Avatar section

Bug: Update LiveLeak embed code for HTTPS

Enhancement: Add Referrer-Policy header on ACP pages

Bug: Invalid download link in ACP version check

Enhancement: Missing Plugin Hooks in the ACP

Bug: Wrong link to announcements in ModCP announcement list

Enhancement: New hook in moderation.php to work with moved posts

Bug: Notification email not sent after activation

Enhancement: Rewrite create_password_hash() usage to accept array of password parameters

Bug: PHP 7.1 Illegal string offset warning when editing user profile with custom select fields

Bug: Stats page refreshing issue

Enhancement: Error notice (div.error) styling doesn't match to 1.8 design.

Bug: MyCode same regular expression issue

Bug: Blocked user's soft deleted message issue

Bug: Group promotions bug

Bug: Twitch Videos Start Automatically

Bug: Almost all numeric values greater 9 are set to 9 in "Show All Settings"

Bug: Theme selector leaves GET data in the URL

Bug: GO button in portal search not inline

Bug: last post info is not updating properly

Bug: When viewing own profile via `uid=0`, the username isn't shown

Bug: Todays birthdays issue with deleted user or purged spammer

Bug: Editing of announcements in ModCP doesn't work

Bug: Only one child theme moved up the tree when deleting themes

Bug: Reply button with usernames containing quotes

Bug: Find orphaned attachments shows success when failed

Bug: User ratings not merging when account is merged

Read more: http://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/






1.8.10

10 January 2017 - 15MBThis release fixes 22 reported issues causing incorrect functionality of MyBB.



Bugs fixed

Bug: Deleting a forum and the recount link while using custom admin url,

Bug: Compose a PM - extra space before "Request Read Receipt:"

Bug: Problem Send PM - Member Profile

Bug: Approve/unapprove threads moderator permission broken

Bug: Custom profile field - Show on member profile - OFF is not working

Bug: Who Posted Sorting Links Redirect To New Page

Bug: Missing line break in New Thread post options

Wrong MySQL version detected

Bug: Quoting posts removes moderator options under certain conditions

Bug: File Verification and .txt files

Bug: Contact Details

Bug: Word filter iterates over replacement strings

Add "Mark site as read" into footer (#1583)

Bug: ModCP - Profileditor

Bug: admin modules dubble $sub_tabs

Bug: Invalid values used with operators expecting numbers raise E_WARNING on PHP 7.1

Bug: Last post not updated when approving the first post using inline mod tools

Bug: New reply mod options do not check specific moderator permissions

Enhancement: Add option to set cookies with Secure flag

Bug: Help Documents HTML not parsed in misc.php?action=helpresults

Bug: "Only receive private messages from users on my Buddy List." ineffective when buddy l

Bug: PM disable option

Read more: http://blog.mybb.com/2017/01/10/mybb-1-8-10-released-maintenance-release/






1.8.9
 (security release)
6 January 2017 - 15MBThis release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB.



Security

Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz



Bugs fixed

Bug: Collapsed theads

Bug: Empty index operator throws fatal error on PHP 7.1 when used on strings

Bug: Disable edit by timestamp for admins also disables for moderators

Bug: Gravatar link updation

Bug: You have entered an invalid secret PIN.

Bug: XSS in URL BBCode

Bug: Outdated location name on Time Zone

Bug: Outdated MIME types link in Attachment Types configuration

Bug: SQL Error in private.php

Bug: Links executing JS functions should return false and point to javascript.void(0) instead of hashtags

Enhancement: Update `Google Talk` language string to `Google Hangouts`

Enhancement: No Licence file

Bug: Signature preview saves the signature?

Bug: Weird timestamp addition in modcp resulting in integer overflow

Enhancement: No hooks available in password hashing functions

Bug: Delayed moderation - missing lang string for time

Bug: Report Reasons not sent in report PM/email notifications

Bug: Expand/collapse theads not fully implimented

Bug: Invalid table name in Report Reasons

Bug: Redundant " in moderation_delayedmoderation_date_day and modcp_announcements_day

Bug: threads get marked as read by just visiting forum categories

Bug: modcp_announcements_delete

Bug: Fix #2464 Add option to set cookies with Secure flag

Bug: Use a stylesheet for select2.css

Bug: pgsql: Cannot delete theme on postgres

Bug: "Notice: Undefined index: num_threads" when moving threads

Enhancement: Ability to disallow remote avatars

Bug: Missing setting descriptions

Bug: add package.json

Bug: showthread: dropdown-menus respond without "ok" - inconsistency

Bug: can not set permissions on another super admin

Bug: Unable To Perform a Database Backup

Bug: Template group not working.

Bug: Moderation Tools prefix issue

Bug: Check files returns /install missing

Bug: Renaming a stylesheet doesn't recache it

Bug: check tables incorrect if check

Bug: Hello World plugin fails on SQLite and most likely also pgsql

Enhancement: Proposition : enhanced numeric option setting

Bug: Weird global.php is_super_admin() check

Bug: Splitting thread decrease the thread count of user

Bug: Incomplete forum deletion

Bug: "Email Verification & Administrator Activation" usless

Enhancement: Add Deletion Notice

Enhancement: wontfix: Modal & Confirm dialogs

Enhancement: Hide stuff users can't see v2

Bug: CDN In AdminCP

Bug: Line breaks in templates search fails

Bug: Calendar, Week Overview: Week period calculated wrong

Bug: pgsql: Performance Optimization for the function replace_query

Bug: SQL error with Binary pseudo charset

Read more: http://blog.mybb.com/2016/12/21/mybb-1-8-9-released-security-maintenance-release/






1.8.8
 (security release)
17 October 2016 - 15MBThis release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Style import CSS overwrite on Windows servers – reported by patryk

Medium risk: SQL Injection in the users data handler – reported by afinepl

Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski

Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam

Low risk: Stored XSS in the ACP – reported by patryk

Low risk: Loose comparison false positives – reported by Devilshakerz

Low risk: Possible XSS injection in ACP users module – reported by afinepl



Bugs fixed

#2473 Bug: No cache handler used on upgrade

#2466 gender neutral pronoun

#2462 Bug: SQL error in Attachment Statistics with ONLY_FULL_GROUP_BY enabled

#2456 Bug: Hash instead of the password at the "forgot my password"

#2455 Enhancement: Essential HTTPS URL changes for *.mybb.com resources

#2447 Bug: SQL error on post split with ONLY_FULL_GROUP_BY enabled

#2446 Bug: Mark All Reports bug

#2443 Bug: MyBB not respecting https:// URLs of certain resources

#2436 Bug: Attachment counter wrong after merging posts

#2434 Bug: missing_username error when editing a deleted user's post

#2431 Bug: Default avatar broken on ACP when using a full URL

#2427 Bug: Admin interface issues on IPv6

#2424 Bug: Fixes #2422 Installation fails on aggressive opcache settings

#2422 Bug: Installation fails on aggressive opcache settings

#2421 Enhancement: Send users who click "chmod" somewhere helpful

#2417 Bug: Upgrade Bug

#2414 Bug: Swapped MCP banning breadcrumbs

#2410 Enhancement: Optimise images with a better algorithm than last time

#2408 Bug: Unclosed cursors leave tables locked on SQLite

#2405 Bug: Using [img align=X] overlaps with postbit_signature

#2402 Bug: ACP path not being removed correctly when sending mail

#2394 Bug: captcha.php using slow CSPRNG

#2389 Bug: Pictures with custom dimensions higher than 999 not shown

#2385 Bug: ACP language and button function error

#2383 Enhancement: Update timezone

#2378 Bug: Report spam possible with PM/E-mail report medium

#2377 Bug: Disabled referral system leads to wrong colspan in memberlist

#2370 Bug: Report notifications ignore moderator groups

#2363 Enhancement: Per theme default avatar

#2357 Bug: BMP images don't work for avatars

#2348 Bug: Useless subscription guest checks in UCP

#2305 Bug: ACP - statistics page - Stats limit not working

#2298 Bug: Weird signature validation conditionals

#2282 Bug: Unlisted "maxreputationsperuser" setting

#2256 Bug: No smilies/post icons

#2251 Bug: Bad words not parsed in breadcrumbs etc.

#2236 Bug: Buddy popup problem when user doesn't have any permissions

#2228 Bug: SCEditor - Duplicate tags after re-election.

#2211 Enhancement: .htaccess  set wrong, no gzip for js

#2167 Bug: Unread indication doesn't work for guests

#2107 Bug: contact form not stripping html code in emails

#2057 Bug: PM folder language problem

#2050 Enhancement: Remove HTML in parser

#2039 Bug: Message after registration English although different language pack is used

#2022 Bug: Close Thread doesn't work via reply

#1988 Bug: Redirect problem with IDN after login

#1810 Enhancement: jGrowl alert types style

#1796 Bug: Delayed moderation - time bug

#1760 Enhancement: Deprecate update_password

#1729 Bug: Outdated CHMOD wiki link (and more docs.mybb.com links)

#1672 Enhancement: Attachment System Enhacements

#1647 Bug: Remove Attachment not working without refresh

#1631 Bug: username's should be htmlspecialchars_uni()'d

#1589 Bug: More proper URL validation

#1223 Enhancement: Report reasons enhancements

#1150 Enhancement: Remove hardcoded HTML v2

#1056 Bug: ACP: Replace hardcoded placeholder language string with an actual language variable

#298 Bug: Login per E-Mail

#259 Bug: User who is member of group that moderates certain (not all) furums is not recog...

Read more: http://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/






1.8.7
 (security release)
12 March 2016 - 15MBThis release fixes 13 security vulnerabilities and 83 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Possible SQL Injection in moderation tool – reported by jamslater

Low risk: Missing permission check in newreply.php – reported by StefanT

Low risk: Possible XSS Injection on login – reported by Devilshakerz

Low risk: Possible XSS Injection in member validation – reported by Tim Coen

Low risk: Possible XSS Injection in User CP – reported by Tim Coen

Low risk: Possible XSS Injection in Mod CP logs – reported by Starpaul20

Low risk: Possible XSS Injection when editing users in Mod CP – reported by Tim Coen

Low risk: Possible XSS Injection when pruning logs in ACP – reported by Devilshakerz

Low risk: Possibility of retrieving database details through templates – reported by Tim Coen

Low risk: Disclosure of ACP path when sending mails from ACP – reported by sarisisop

Low risk: Low adminsid & sid entropy – reported by Devilshakerz

Low risk: Clickjacking in ACP – reported by DingjieYang

Low risk: Missing directory listing protection in upload directories – reported by Tim Coen



Bugs fixed

#2351 Remove "Are You a Human" captcha

#2340 usercp_editlists_user - wrong lang string in title

#2330 Port is not stripped from the generated cookie domain

#2327 Calendar.php displaying wrong user title

#2319 Enable CURLOPT_FOLLOWLOCATION for fetch_remote_file()

#2314 Wrong PM update array code

#2313 Not a good way to update counters

#2312 Registration confirmation emails not being sent

#2310 SQL error when posting new post with custom moderation tool

#2306 SQL error in UserCP's Group Memberships when sql_mode=only_full_group_by

#2301 $theme['disporder'] may be not an array

#2292 Float number passed to mt_srand() on 32-bit systems

#2291 Typo in Email change message

#2288 Missing closing  in template report_error_nomodal

#2287 Prefix - Staff Only = Uneditable

#2285 Ambiguous indirect variable access breaks PHP 7 compatibility

#2283 Missing closing  in template report

#2278 PgSQL error when upgrading from  User Permissions

Read more: http://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/






1.8.6
 (security release)
9 September 2015 - 15MBThis release fixes 5 security vulnerabilities and 51 reported issues causing incorrect functionality of MyBB.



Security

Medium Risk: Forum password bypass in xmlhttp.php

Low Risk: SQL Injection in Grouppromotions module (ACP)

Low Risk: Possible XSS Injection in the error handler

Low Risk: Possible XSS issues in old upgrade files

Low Risk: Possible Full Path Disclosure in publicly accessible error log files



Bugs fixed

#2184 Quick edit not working when thread prefix is required

#2178 Question: What are "contants"?

#2171 Find Users should use `escape_string_like()`

#2168 Invalid RE: regex

#2164 output_row() $options['id']

#2163 Post subjects don't work correctly

#2149 Show latin1 as latin 1 and not as cp1252

#2145 Add A Group Leader Doesn't Put Leader In Usergroup

#2143 Parser removes spacing between list elements

#2141 ban_date2timestamp uses supports using timestamp but doesn't use it in date calls

#2129 Editing announcement is broken when global variable "$announcement"

#2126 reCaptcha not work if use SSL (HTTPS)

#2122 Quick reply wrong $postcounter

#2116 mysql

#2115 Inconsistent checks in db classes

#2106 Report Center Bug

#2105 System Email Log Filters

#2093 Sending message to myself with BCC will cause an error

#2091 Custom Profile Field descriptions should be properly escaped

#2084 UserDataHandler::delete_posts report content deletion is redundant.

#2077 Mssing using_remote_avatar language string.

#2076 usercp_avatar HTML syntax error.

#2054 Confusing admin and return mail

#2048 $settings undefined

#2037 Fetching MyBB credits fails -> endless redirection

#2026 Wrong Doc Blocks

#2018 Use queried id instead of input

#2016 Strange behaviour of "find_replace_templatesets"

#2009 Poll options values not saved in editpost.php

#2007 Preview table showing upon error

#2003 Deleting an event in 'editevent' without checking checkbox throws errors

#2001 Calendar does not show errors when adding events

#1999 Adding user in Admin-CP results in wrong timezone

#1978 Send PM: Duplicate check not working for multiple recipients

#1965 Calendar - problem with mini calendar

#1964 Using ||~|~|| in polls breaks poll

#1963 Editing problem in IE11

#1961 require a thread prefix for all threads doesnt work in edit post

#1955 Wrong SCEditor smilie check

#1913 Database export should ignore views

#1912 PM download umlaut problems

#1911 Unnecessary code in functions_post.php

#1906 Wrong information in profile/reputation report PMs

#1838 Birthday bug

#1820 Userhandler still doesn't delete some stuff

#1816 Very inefficient managegroups.php code...

#1793 Random generated password can throw error

#1752 Bypassing Theme Permissions

#1440 Soft delete doesn't show up in mod tools when searching threads

#907 Subject  Max. Char. error on preview

#303 Function insert_id() not working in db_pgsql.php

Read more: http://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/






1.8.5
 (security release)
27 May 2015 - 15MBThis release fixes 6 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB.



Security

Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh

Medium Risk: Sender email could be spoofed when sending an email to a user in member.php – reported by onlinedevelopers

Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655

Medium Risk: XSS in quick edit function of xmlhttp.php – reported by TiberiusG

Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666

Low Risk: Use of the U+200E Unicode character to create "duplicate" username – reported by mahdy2021



Bugs fixed

#1997 Single forum/group select settings

#1995 URLs never shortened

#1986 HTML bug in modcp template

#1979 Send PM: Duplicate check inconsistent

#1977 password hash checks should use === and !== instead of == and !=

#1975 JavaScript Error with Multiline Smilies (Disables Editor)

#1957 Grammatical mistake

#1956 Division by zero FPD

#1953 ACP Smilies Mass Editor break all smilies on save.

#1951 grammatical error in admin cp

#1946 Template groups are case sensitive

#1945 Administrator permissions Tools -> Can manage spam logs

#1941 Duplicating a theme doesn't duplicate the templates

#1939 format_avatar caching issue

#1934 Wrong awaitingactivation check

#1933 is_numeric check in Mysql update_query

#1931 Reputation page shows incorrect user title

#1930 Bug in checkbox validation

#1928 Warnings for multiselect/checkbox profile fields

#1926 Upgrades from input - #754

Admin CP language - #690

Disable Default MyCodes - #686

More recount tools - #494

Option to disable contact details - #900

Log all ‘locked out' failures in ACP - #859

Add reported posts stats to ACP - #858

Delayed moderation improvements - #440

New Promotion rules - #429



Front-end: New Theme - #571

CSS buttons, PNG images, Sprite images, Fugue icons - #571

Attachable base colors for themes - #580

Relative Time - #558

Prototype to jQuery Conversion (yay!) - #251

Attachment Types Name - #442

CSS Minification - #564



Front-end: Other

Add ltrim() to search users input - #590

Change trim() in templates to rtrim() - #584

A tool to rebuild reputation - #591

Contact Page - #592 #715

Ability to delete default help topics - #589

If user is invisible & permissions disallow, hide all public data - #593

Post reputation should include thread subject - #594

Remove Gallery; Integrate Gravatar - #582 #586

Delete post on full edit should not show if no permission to delete - #595

Add option to stick/unstick to custom tools - #435

PM thread author in custom tools for threads - #581

Users cannot rate their own posts - #570

format_avatar() function - #569

Whitelist of avatar upload extensions - #568

Preview announcements - #567

Minimum post length to exclude MyCode - #566

IPv6 features - #565

APC cache handler - #574

$cache->delete method - #575

is_member() function - #576

delete_user() function - #408

IP addresses in PMs - #563

Don't ask for validation if validation is disabled - #577

Slow reply posting in long threads - #578

Soft Delete - #560

Login Datahandler - #572

Add theme selector to footer - #496

Forum redirect icon - #453

Permission to reply to own threads - #409

ModCP banned users list descending by default - #138

Quick Reply PM - #437

Poll Updates (Add poll link to thread page; limit of time before a thraed author can no longer add a poll) - #456

Update contact fields - #455

Are You a Human CAPTCHA - #443

Report Center - #556

Ability to sort Private Messages in inbox and other folders - #70

Recount Warning Points - #85

Warning points as a Group Promotion criteria - #88

Registration date and last active time as mass mail criteria - #100

Display profile fields on posts - #133

Add "Display posts in classic mode" option when editing user in Admin CP - #107

Move Edit Time Limit and Max Post Per Day to group settings - #114

Recount Private Messages - #132

Hide members from the Member List - #142

Force redirect page - #550

Searching plugins will highlight vulnerable ones (requires new Mods site) - Commit Link

Update $groupzerogreater array - #809

CDN Compatbility - #776

Goodbye Spammer - #775

Add Time Zones - #764

Thread Count - #761

Buddy System Enhancements - #757

Remove Hardcoded HTML - #756

Database optimization - #738

Overqualified Selectors - #976 #700

Subscription PM notification option - #689

Expand Forum Moderator permissions - #688

Add profile fields on registration - #687

Admin and Email activation option - #685

Publicly shown poll end date - #587

CAPTCHA Improvements - #557

Search Help Files - #497

Invite-only joinable groups - #493

Maximum Nested Quote Tags for PMs - #492

Hide stuff users don't have permission to use - #454

Edit Reason - #451

Add to mycode - #450

User option to disable images/videos - #449

Moderation Tools Improvements - #435

Forum Statistics Improvements - #434 #824

Profile Fields Enhancements - #433

Using update_query with BIT(1) fields - #360

inline_moderation.js friendly to table-less themes - #915

Memberlist sorting - #914

Force Login - #906

Add class to smilies - #905

AJAX for security questions - #894

Add get_user_by_username() helper function - #893

find_replace_templates() accepts SID - #889

$this->options in class_parser.php - #880

Add class to announcements - #879

Make forum friendly to outside pages - #878

Change showthread.php icons to sprite - #877

Add rebuild settings to cache tools - #875

Add email description editing to editor - #869

Add video sites to editor - #862

Check new members against StopForumSpam - #860

Jump to Page in pagination - #857

send_pm() should consider users' language - #834

Image re-scaling and long words/text wrapping CSS/HTML changes - #816

Moderate Groups - #439

Portal Improvements - #436

Moderation Notifications - #430

Thread Prefix system improvements - #427

Ability to Stop tracking all messages - #364

Settings description on installation - #197

Add Template::render method - #1344

Read more: http://blog.mybb.com/2014/09/01/mybb-1-8-released/