Hosting MyBB

1.8.15
 (security release)
18 March - 15MBSecurity

Medium risk: Tasks Local File Inclusion

Medium risk: Forum Password Check Bypass

Low risk: Admin Permissions Group Title XSS

Low risk: Attachment types file extension XSS

Low risk: Moderator Tools XSS

Low risk: Security Questions XSS

Low risk: Settings Management XSS

Low risk: Templates Set Name XSS

Low risk: Usergroup Promotions XSS

Low risk: Warning Types XSS

Read more: https://mybb.com/versions/1.8.15/






1.8.14
 (security release)
28 November 2017 - 15MBSecurity

High risk: Language file headers RCE — reported by Julian Rittweger

Low risk: Language Pack Properties XSS — reported by Julian Rittweger

Read more: https://mybb.com/versions/1.8.14/






1.8.13
 (security release)
20 November 2017 - 15MBThis release fixes 7 security vulnerabilities and 62 reported issues causing incorrect functionality of MyBB.



Security

Installer RCE on configuration file write

Language file headers RCE

Installer XSS

Mod CP Edit Profile XSS

Insufficient moderator permission check in delayed moderation tools

Announcements HTML filter bypass

Language Pack Properties XSS

Read more: https://mybb.com/versions/1.8.13/






1.8.12
 (security release)
22 May 2017 - 15MBThis release fixes 3 security vulnerabilities and 14 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Insufficient permission check in multiquote feature – reported by frostschutz

Medium risk: CSV macro injection on PM export – reported by Rico A. Silvallana

Low risk: Weak password reset codes & false positives – reported by Devilshakerz



Bugs fixed

Redundant  tag in moderation_inline_mergeposts template 1.8 bug s:fixed

Missing closing  tags 1.8 bug s:fixed

Issues with the IM center pop-up 1.8 bug p:normal s:fixed

DB_PgSQL::show_create_table() doesn't list unique keys 1.8 bug pgsql s:fixed

Custom MyCode 1.8 bug s:fixed

Merge hook not working correctly 1.8 bug p:normal s:fixed

Hover on Relative time to Show Exact date/time 1.8 enhancement p:low s:fixed

CURLOPT constants inconsistencies 1.8 bug s:fixed

gethostbynamel() and dns_get_record() may issue unhandled warnings 1.8 bug s:fixed

Upgrade script final step shows invalid title 1.8 bug p:low s:fixed

Short array syntax in fetch_remote_file() raises Parse error on PHP < 5.4 1.8 bug s:fixed

Updation of "What is RSS?" link to https 1.8 enhancement s:fixed

Incorrect post-login redirect URL on private networks and localhost 1.8 bug s:fixed

RSS limit doesn't work in the generated URL - always 15 1.8 bug p:normal s:fixed

Read more: https://blog.mybb.com/2017/05/22/mybb-1-8-12-released-security-maintenance-release/



display more versions




1.8.11
 (security release)
23 April 2017 - 15MBThis release fixes 3 security vulnerabilities and 32 reported issues causing incorrect functionality of MyBB.



Security

High risk: XSS Injection in Email MyCode – reported by Zhiyang Zeng of Tencent security platform department

Medium risk: SSRF protection can be bypassed – reported by Orange Tsai of DEVCORE and Jasveer Singh of SEC Consult Vulnerability Lab

Low risk: Directory Traversal in smilie module – reported by Zhiyang Zeng of Tencent security platform department



Bugs fixed

Bug: mybbuser cookie is set without httponly when changing password

Enhancement: Mod CP - missing plugin hooks

Bug: Issues with Admin Logging and email pruning

Bug: orphaned variable

Enhancement: Add new hook in User CP's Change Avatar section

Bug: Update LiveLeak embed code for HTTPS

Enhancement: Add Referrer-Policy header on ACP pages

Bug: Invalid download link in ACP version check

Enhancement: Missing Plugin Hooks in the ACP

Bug: Wrong link to announcements in ModCP announcement list

Enhancement: New hook in moderation.php to work with moved posts

Bug: Notification email not sent after activation

Enhancement: Rewrite create_password_hash() usage to accept array of password parameters

Bug: PHP 7.1 Illegal string offset warning when editing user profile with custom select fields

Bug: Stats page refreshing issue

Enhancement: Error notice (div.error) styling doesn't match to 1.8 design.

Bug: MyCode same regular expression issue

Bug: Blocked user's soft deleted message issue

Bug: Group promotions bug

Bug: Twitch Videos Start Automatically

Bug: Almost all numeric values greater 9 are set to 9 in "Show All Settings"

Bug: Theme selector leaves GET data in the URL

Bug: GO button in portal search not inline

Bug: last post info is not updating properly

Bug: When viewing own profile via `uid=0`, the username isn't shown

Bug: Todays birthdays issue with deleted user or purged spammer

Bug: Editing of announcements in ModCP doesn't work

Bug: Only one child theme moved up the tree when deleting themes

Bug: Reply button with usernames containing quotes

Bug: Find orphaned attachments shows success when failed

Bug: User ratings not merging when account is merged

Read more: http://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/






1.8.10

10 January 2017 - 15MBThis release fixes 22 reported issues causing incorrect functionality of MyBB.



Bugs fixed

Bug: Deleting a forum and the recount link while using custom admin url,

Bug: Compose a PM - extra space before "Request Read Receipt:"

Bug: Problem Send PM - Member Profile

Bug: Approve/unapprove threads moderator permission broken

Bug: Custom profile field - Show on member profile - OFF is not working

Bug: Who Posted Sorting Links Redirect To New Page

Bug: Missing line break in New Thread post options

Wrong MySQL version detected

Bug: Quoting posts removes moderator options under certain conditions

Bug: File Verification and .txt files

Bug: Contact Details

Bug: Word filter iterates over replacement strings

Add "Mark site as read" into footer (#1583)

Bug: ModCP - Profileditor

Bug: admin modules dubble $sub_tabs

Bug: Invalid values used with operators expecting numbers raise E_WARNING on PHP 7.1

Bug: Last post not updated when approving the first post using inline mod tools

Bug: New reply mod options do not check specific moderator permissions

Enhancement: Add option to set cookies with Secure flag

Bug: Help Documents HTML not parsed in misc.php?action=helpresults

Bug: "Only receive private messages from users on my Buddy List." ineffective when buddy l

Bug: PM disable option

Read more: http://blog.mybb.com/2017/01/10/mybb-1-8-10-released-maintenance-release/






1.8.9
 (security release)
6 January 2017 - 15MBThis release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB.



Security

Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz



Bugs fixed

Bug: Collapsed theads

Bug: Empty index operator throws fatal error on PHP 7.1 when used on strings

Bug: Disable edit by timestamp for admins also disables for moderators

Bug: Gravatar link updation

Bug: You have entered an invalid secret PIN.

Bug: XSS in URL BBCode

Bug: Outdated location name on Time Zone

Bug: Outdated MIME types link in Attachment Types configuration

Bug: SQL Error in private.php

Bug: Links executing JS functions should return false and point to javascript.void(0) instead of hashtags

Enhancement: Update `Google Talk` language string to `Google Hangouts`

Enhancement: No Licence file

Bug: Signature preview saves the signature?

Bug: Weird timestamp addition in modcp resulting in integer overflow

Enhancement: No hooks available in password hashing functions

Bug: Delayed moderation - missing lang string for time

Bug: Report Reasons not sent in report PM/email notifications

Bug: Expand/collapse theads not fully implimented

Bug: Invalid table name in Report Reasons

Bug: Redundant " in moderation_delayedmoderation_date_day and modcp_announcements_day

Bug: threads get marked as read by just visiting forum categories

Bug: modcp_announcements_delete

Bug: Fix #2464 Add option to set cookies with Secure flag

Bug: Use a stylesheet for select2.css

Bug: pgsql: Cannot delete theme on postgres

Bug: "Notice: Undefined index: num_threads" when moving threads

Enhancement: Ability to disallow remote avatars

Bug: Missing setting descriptions

Bug: add package.json

Bug: showthread: dropdown-menus respond without "ok" - inconsistency

Bug: can not set permissions on another super admin

Bug: Unable To Perform a Database Backup

Bug: Template group not working.

Bug: Moderation Tools prefix issue

Bug: Check files returns /install missing

Bug: Renaming a stylesheet doesn't recache it

Bug: check tables incorrect if check

Bug: Hello World plugin fails on SQLite and most likely also pgsql

Enhancement: Proposition : enhanced numeric option setting

Bug: Weird global.php is_super_admin() check

Bug: Splitting thread decrease the thread count of user

Bug: Incomplete forum deletion

Bug: "Email Verification & Administrator Activation" usless

Enhancement: Add Deletion Notice

Enhancement: wontfix: Modal & Confirm dialogs

Enhancement: Hide stuff users can't see v2

Bug: CDN In AdminCP

Bug: Line breaks in templates search fails

Bug: Calendar, Week Overview: Week period calculated wrong

Bug: pgsql: Performance Optimization for the function replace_query

Bug: SQL error with Binary pseudo charset

Read more: http://blog.mybb.com/2016/12/21/mybb-1-8-9-released-security-maintenance-release/






1.8.8
 (security release)
17 October 2016 - 15MBThis release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Style import CSS overwrite on Windows servers – reported by patryk

Medium risk: SQL Injection in the users data handler – reported by afinepl

Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski

Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam

Low risk: Stored XSS in the ACP – reported by patryk

Low risk: Loose comparison false positives – reported by Devilshakerz

Low risk: Possible XSS injection in ACP users module – reported by afinepl



Bugs fixed

#2473 Bug: No cache handler used on upgrade

#2466 gender neutral pronoun

#2462 Bug: SQL error in Attachment Statistics with ONLY_FULL_GROUP_BY enabled

#2456 Bug: Hash instead of the password at the "forgot my password"

#2455 Enhancement: Essential HTTPS URL changes for *.mybb.com resources

#2447 Bug: SQL error on post split with ONLY_FULL_GROUP_BY enabled

#2446 Bug: Mark All Reports bug

#2443 Bug: MyBB not respecting https:// URLs of certain resources

#2436 Bug: Attachment counter wrong after merging posts

#2434 Bug: missing_username error when editing a deleted user's post

#2431 Bug: Default avatar broken on ACP when using a full URL

#2427 Bug: Admin interface issues on IPv6

#2424 Bug: Fixes #2422 Installation fails on aggressive opcache settings

#2422 Bug: Installation fails on aggressive opcache settings

#2421 Enhancement: Send users who click "chmod" somewhere helpful

#2417 Bug: Upgrade Bug

#2414 Bug: Swapped MCP banning breadcrumbs

#2410 Enhancement: Optimise images with a better algorithm than last time

#2408 Bug: Unclosed cursors leave tables locked on SQLite

#2405 Bug: Using [img align=X] overlaps with postbit_signature

#2402 Bug: ACP path not being removed correctly when sending mail

#2394 Bug: captcha.php using slow CSPRNG

#2389 Bug: Pictures with custom dimensions higher than 999 not shown

#2385 Bug: ACP language and button function error

#2383 Enhancement: Update timezone

#2378 Bug: Report spam possible with PM/E-mail report medium

#2377 Bug: Disabled referral system leads to wrong colspan in memberlist

#2370 Bug: Report notifications ignore moderator groups

#2363 Enhancement: Per theme default avatar

#2357 Bug: BMP images don't work for avatars

#2348 Bug: Useless subscription guest checks in UCP

#2305 Bug: ACP - statistics page - Stats limit not working

#2298 Bug: Weird signature validation conditionals

#2282 Bug: Unlisted "maxreputationsperuser" setting

#2256 Bug: No smilies/post icons

#2251 Bug: Bad words not parsed in breadcrumbs etc.

#2236 Bug: Buddy popup problem when user doesn't have any permissions

#2228 Bug: SCEditor - Duplicate tags after re-election.

#2211 Enhancement: .htaccess  set wrong, no gzip for js

#2167 Bug: Unread indication doesn't work for guests

#2107 Bug: contact form not stripping html code in emails

#2057 Bug: PM folder language problem

#2050 Enhancement: Remove HTML in parser

#2039 Bug: Message after registration English although different language pack is used

#2022 Bug: Close Thread doesn't work via reply

#1988 Bug: Redirect problem with IDN after login

#1810 Enhancement: jGrowl alert types style

#1796 Bug: Delayed moderation - time bug

#1760 Enhancement: Deprecate update_password

#1729 Bug: Outdated CHMOD wiki link (and more docs.mybb.com links)

#1672 Enhancement: Attachment System Enhacements

#1647 Bug: Remove Attachment not working without refresh

#1631 Bug: username's should be htmlspecialchars_uni()'d

#1589 Bug: More proper URL validation

#1223 Enhancement: Report reasons enhancements

#1150 Enhancement: Remove hardcoded HTML v2

#1056 Bug: ACP: Replace hardcoded placeholder language string with an actual language variable

#298 Bug: Login per E-Mail

#259 Bug: User who is member of group that moderates certain (not all) furums is not recog...

Read more: http://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/






1.8.7
 (security release)
12 March 2016 - 15MBThis release fixes 13 security vulnerabilities and 83 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Possible SQL Injection in moderation tool – reported by jamslater

Low risk: Missing permission check in newreply.php – reported by StefanT

Low risk: Possible XSS Injection on login – reported by Devilshakerz

Low risk: Possible XSS Injection in member validation – reported by Tim Coen

Low risk: Possible XSS Injection in User CP – reported by Tim Coen

Low risk: Possible XSS Injection in Mod CP logs – reported by Starpaul20

Low risk: Possible XSS Injection when editing users in Mod CP – reported by Tim Coen

Low risk: Possible XSS Injection when pruning logs in ACP – reported by Devilshakerz

Low risk: Possibility of retrieving database details through templates – reported by Tim Coen

Low risk: Disclosure of ACP path when sending mails from ACP – reported by sarisisop

Low risk: Low adminsid & sid entropy – reported by Devilshakerz

Low risk: Clickjacking in ACP – reported by DingjieYang

Low risk: Missing directory listing protection in upload directories – reported by Tim Coen



Bugs fixed

#2351 Remove "Are You a Human" captcha

#2340 usercp_editlists_user - wrong lang string in title

#2330 Port is not stripped from the generated cookie domain

#2327 Calendar.php displaying wrong user title

#2319 Enable CURLOPT_FOLLOWLOCATION for fetch_remote_file()

#2314 Wrong PM update array code

#2313 Not a good way to update counters

#2312 Registration confirmation emails not being sent

#2310 SQL error when posting new post with custom moderation tool

#2306 SQL error in UserCP's Group Memberships when sql_mode=only_full_group_by

#2301 $theme['disporder'] may be not an array

#2292 Float number passed to mt_srand() on 32-bit systems

#2291 Typo in Email change message

#2288 Missing closing  in template report_error_nomodal

#2287 Prefix - Staff Only = Uneditable

#2285 Ambiguous indirect variable access breaks PHP 7 compatibility

#2283 Missing closing  in template report

#2278 PgSQL error when upgrading from  User Permissions

Read more: http://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/






1.8.6
 (security release)
9 September 2015 - 15MBThis release fixes 5 security vulnerabilities and 51 reported issues causing incorrect functionality of MyBB.



Security

Medium Risk: Forum password bypass in xmlhttp.php

Low Risk: SQL Injection in Grouppromotions module (ACP)

Low Risk: Possible XSS Injection in the error handler

Low Risk: Possible XSS issues in old upgrade files

Low Risk: Possible Full Path Disclosure in publicly accessible error log files



Bugs fixed

#2184 Quick edit not working when thread prefix is required

#2178 Question: What are "contants"?

#2171 Find Users should use `escape_string_like()`

#2168 Invalid RE: regex

#2164 output_row() $options['id']

#2163 Post subjects don't work correctly

#2149 Show latin1 as latin 1 and not as cp1252

#2145 Add A Group Leader Doesn't Put Leader In Usergroup

#2143 Parser removes spacing between list elements

#2141 ban_date2timestamp uses supports using timestamp but doesn't use it in date calls

#2129 Editing announcement is broken when global variable "$announcement"

#2126 reCaptcha not work if use SSL (HTTPS)

#2122 Quick reply wrong $postcounter

#2116 mysql

#2115 Inconsistent checks in db classes

#2106 Report Center Bug

#2105 System Email Log Filters

#2093 Sending message to myself with BCC will cause an error

#2091 Custom Profile Field descriptions should be properly escaped

#2084 UserDataHandler::delete_posts report content deletion is redundant.

#2077 Mssing using_remote_avatar language string.

#2076 usercp_avatar HTML syntax error.

#2054 Confusing admin and return mail

#2048 $settings undefined

#2037 Fetching MyBB credits fails -> endless redirection

#2026 Wrong Doc Blocks

#2018 Use queried id instead of input

#2016 Strange behaviour of "find_replace_templatesets"

#2009 Poll options values not saved in editpost.php

#2007 Preview table showing upon error

#2003 Deleting an event in 'editevent' without checking checkbox throws errors

#2001 Calendar does not show errors when adding events

#1999 Adding user in Admin-CP results in wrong timezone

#1978 Send PM: Duplicate check not working for multiple recipients

#1965 Calendar - problem with mini calendar

#1964 Using ||~|~|| in polls breaks poll

#1963 Editing problem in IE11

#1961 require a thread prefix for all threads doesnt work in edit post

#1955 Wrong SCEditor smilie check

#1913 Database export should ignore views

#1912 PM download umlaut problems

#1911 Unnecessary code in functions_post.php

#1906 Wrong information in profile/reputation report PMs

#1838 Birthday bug

#1820 Userhandler still doesn't delete some stuff

#1816 Very inefficient managegroups.php code...

#1793 Random generated password can throw error

#1752 Bypassing Theme Permissions

#1440 Soft delete doesn't show up in mod tools when searching threads

#907 Subject  Max. Char. error on preview

#303 Function insert_id() not working in db_pgsql.php

Read more: http://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/






1.8.5
 (security release)
27 May 2015 - 15MBThis release fixes 6 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB.



Security

Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh

Medium Risk: Sender email could be spoofed when sending an email to a user in member.php – reported by onlinedevelopers

Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655

Medium Risk: XSS in quick edit function of xmlhttp.php – reported by TiberiusG

Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666

Low Risk: Use of the U+200E Unicode character to create "duplicate" username – reported by mahdy2021



Bugs fixed

#1997 Single forum/group select settings

#1995 URLs never shortened

#1986 HTML bug in modcp template

#1979 Send PM: Duplicate check inconsistent

#1977 password hash checks should use === and !== instead of == and !=

#1975 JavaScript Error with Multiline Smilies (Disables Editor)

#1957 Grammatical mistake

#1956 Division by zero FPD

#1953 ACP Smilies Mass Editor break all smilies on save.

#1951 grammatical error in admin cp

#1946 Template groups are case sensitive

#1945 Administrator permissions Tools -> Can manage spam logs

#1941 Duplicating a theme doesn't duplicate the templates

#1939 format_avatar caching issue

#1934 Wrong awaitingactivation check

#1933 is_numeric check in Mysql update_query

#1931 Reputation page shows incorrect user title

#1930 Bug in checkbox validation

#1928 Warnings for multiselect/checkbox profile fields

#1926 Upgrades from input - #754

Admin CP language - #690

Disable Default MyCodes - #686

More recount tools - #494

Option to disable contact details - #900

Log all ‘locked out' failures in ACP - #859

Add reported posts stats to ACP - #858

Delayed moderation improvements - #440

New Promotion rules - #429



Front-end: New Theme - #571

CSS buttons, PNG images, Sprite images, Fugue icons - #571

Attachable base colors for themes - #580

Relative Time - #558

Prototype to jQuery Conversion (yay!) - #251

Attachment Types Name - #442

CSS Minification - #564



Front-end: Other

Add ltrim() to search users input - #590

Change trim() in templates to rtrim() - #584

A tool to rebuild reputation - #591

Contact Page - #592 #715

Ability to delete default help topics - #589

If user is invisible & permissions disallow, hide all public data - #593

Post reputation should include thread subject - #594

Remove Gallery; Integrate Gravatar - #582 #586

Delete post on full edit should not show if no permission to delete - #595

Add option to stick/unstick to custom tools - #435

PM thread author in custom tools for threads - #581

Users cannot rate their own posts - #570

format_avatar() function - #569

Whitelist of avatar upload extensions - #568

Preview announcements - #567

Minimum post length to exclude MyCode - #566

IPv6 features - #565

APC cache handler - #574

$cache->delete method - #575

is_member() function - #576

delete_user() function - #408

IP addresses in PMs - #563

Don't ask for validation if validation is disabled - #577

Slow reply posting in long threads - #578

Soft Delete - #560

Login Datahandler - #572

Add theme selector to footer - #496

Forum redirect icon - #453

Permission to reply to own threads - #409

ModCP banned users list descending by default - #138

Quick Reply PM - #437

Poll Updates (Add poll link to thread page; limit of time before a thraed author can no longer add a poll) - #456

Update contact fields - #455

Are You a Human CAPTCHA - #443

Report Center - #556

Ability to sort Private Messages in inbox and other folders - #70

Recount Warning Points - #85

Warning points as a Group Promotion criteria - #88

Registration date and last active time as mass mail criteria - #100

Display profile fields on posts - #133

Add "Display posts in classic mode" option when editing user in Admin CP - #107

Move Edit Time Limit and Max Post Per Day to group settings - #114

Recount Private Messages - #132

Hide members from the Member List - #142

Force redirect page - #550

Searching plugins will highlight vulnerable ones (requires new Mods site) - Commit Link

Update $groupzerogreater array - #809

CDN Compatbility - #776

Goodbye Spammer - #775

Add Time Zones - #764

Thread Count - #761

Buddy System Enhancements - #757

Remove Hardcoded HTML - #756

Database optimization - #738

Overqualified Selectors - #976 #700

Subscription PM notification option - #689

Expand Forum Moderator permissions - #688

Add profile fields on registration - #687

Admin and Email activation option - #685

Publicly shown poll end date - #587

CAPTCHA Improvements - #557

Search Help Files - #497

Invite-only joinable groups - #493

Maximum Nested Quote Tags for PMs - #492

Hide stuff users don't have permission to use - #454

Edit Reason - #451

Add to mycode - #450

User option to disable images/videos - #449

Moderation Tools Improvements - #435

Forum Statistics Improvements - #434 #824

Profile Fields Enhancements - #433

Using update_query with BIT(1) fields - #360

inline_moderation.js friendly to table-less themes - #915

Memberlist sorting - #914

Force Login - #906

Add class to smilies - #905

AJAX for security questions - #894

Add get_user_by_username() helper function - #893

find_replace_templates() accepts SID - #889

$this->options in class_parser.php - #880

Add class to announcements - #879

Make forum friendly to outside pages - #878

Change showthread.php icons to sprite - #877

Add rebuild settings to cache tools - #875

Add email description editing to editor - #869

Add video sites to editor - #862

Check new members against StopForumSpam - #860

Jump to Page in pagination - #857

send_pm() should consider users' language - #834

Image re-scaling and long words/text wrapping CSS/HTML changes - #816

Moderate Groups - #439

Portal Improvements - #436

Moderation Notifications - #430

Thread Prefix system improvements - #427

Ability to Stop tracking all messages - #364

Settings description on installation - #197

Add Template::render method - #1344

Read more: http://blog.mybb.com/2014/09/01/mybb-1-8-released/