Hosting MyBB

1.8.30 (security release)
6 April - 15MBSecurity

CVE-2022-24734 ACP Settings management RCE

Read more: https://mybb.com/versions/1.8.30/






1.8.29 (security release)
30 October 2021 - 15MBSecurity

ACP Settings management RCE - The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This results in a Remote Code Execution (RCE) vulnerability.

Read more: https://mybb.com/versions/1.8.29/






1.8.28 (security release)
27 October 2021 - 15MBSecurity

CVE-2021-41866 ACP Template Name XSS



New Features

#4428 Remove "MyBB Internal..." message output in error handler

#4411 Cached settings not available during early errors



Bug Fixes & Enhancements

#4466 Subforums viewers count not accounted for on index page

#4463 Inconsistent HTML support for User Titles

#4460 Parser output may be incorrectly suppressed when ignored errors occur

#4458 Broken display and verification of reCAPTCHA v3 and Invisible hCaptcha

#4454 Default "Results per page" value in ACP's Find Attachments fails form validation

#4446 Value passed to 'DefaultForm::generate_yes_no_radio()' can be evaluated differently on PHP 8

#4444 Admin permission management broken in PHP 8

#4439 Error handler's output may be incorrectly hidden

#4437 Multiple thread moderation works only for one thread

#4433 Custom profile field conditions ignored in ACP's Find Users

#4429 Forum permissions no longer inherited for usergroup-limited forums

#4426 Delete and forum filter functions not working in ACP attachments module

#4423 mybb_attachtypes.forcedownload not created on fresh install

#4420 registered users unable to change banned mail address

#4417 Invalid condition, PostgreSQL syntax for 'AbstractPdoDbDriver::setCharacterSet()'

#4414 Display error in custom forum permission settings for guests in ACP

#4410 Font codes showing in some posts

#4409 Error suppression doesn't work on PHP 8

#4408 "Undefined array key" error when modifying forums on PHP 8

#4400 Viewing a user IP address in ACP doesn't work with MyBB 1.8.27

#4398 Moderation_queue.php doesn't work with MyBB 1.8.27

#4397 Require parser HTML output validation

#4393 Forum search filter may not apply when 'forums' parameter not an array

#4391 Missing HTML angle bracket in 'post_attachments_new' template

#4138 Fix PHP 8.0 compatibility problems

#3634 Empty folders - message count of unread instead of inbox

Read more: https://mybb.com/versions/1.8.28/






1.8.27
25 June 2021 - 15MBNew Features

#4321 Display note when running the upgrade system is not necessary

#4319 Inline user edit additional ACP hooks

#4310 Add note to ACP's Import Theme to only use trusted sources

#4308 Add correction advice to ACP's File Verification

#4306 Use separate anti-CSRF token in the ACP

#4305 Add HTML validation to postParser

#4274 Settings - Disabling nesting quotes - fix description

#4262 Add options to prevent spiders and thread autor from increasing thread view count

#4256 New plugin hook - reputation.php

#4238 Add commit hook to attachments forum module (ACP)

#4236 Translators should be able to link their communities for special use cases

#4228 maillogs.php - add a new hook for logs

#4224 Functions.php - add a new hook

#4209 Move mail queue processing to a task rather than a shutdown function

#4196 MyBB.prompt() template

#4163 [Feature Suggestion] Force Attachment Download

#4153 Purge Spammer should have a setting to skip adding the IP to the ban filters

#4149 Allow use of cookieless domain for YouTube video embeds

#4136 Add style variable in survey template

#4134 Add hook for custom mail handler registration

#4132 Add 'lastip' column handling to UserDataHandler

#4060 contact.php page redirection

#4057 Hooks to allow plugins to extend custom moderation tools

#3947 Checkbox in group settings doesn't work

#3791 Thread Mode Selector

#3776 Generating numerical permissions with on/off switches from multiple user groups

#3566 Enhancement: Remove double confirmation of upload

#3509 Reputation is lost on account merge



Bug Fixes & Enhancements

#4384 Soft deleted thread may be visible in User CP Home's subscriptions

#4365 Custom Moderation Fails From Search Results

#4363 Missing collation in upgrade script

#4338 Absolute uploadspath fails due to MYBB_ROOT prefix on mime check

#4336 UCP-PM - bgcolor is not used, trow1/2 are vertically not horizontally

#4334 UCP-PM - icons/posticons/check boxes are misaligned

#4332 'expcol' issues

#4324 ACP Multiple email registration & Login method settings

#4303 Auto URL parsing may break HTML entities

#4299 Imported theme process is stopped while leaving leftovers behind

#4294 Searching for members with underscores in their name via memberlist.php fails

#4293 "Click to edit" added when post content is empty

#4289 global_moderation_notice - use same div class like other notice bars

#4287 Inconsistency with notices in header

#4285 Add pagination to certain Admin CP locations

#4280 Incorrect name used for 'upload_max_filesize' PHP directive

#4278 'isdefault' set to 0 for some default settings

#4277 Who is online limit (per page) setting is taken from thread settings

#4271 IP Ban list in the ACP no pagination

#4267 Add word filters pagination

#4258 Not possible to remove signature length limit

#4254 issue with recount&rebuild in admincp

#4253 Use cached values for calculating thread count in forum view

#4250 report_reasons.php - wrong lang variable

#4244 Conflicted Birthday Privacy

#4232 Avatar Upload - Wrong Error Message

#4231 [color] tags with rgba() colour spec are unrendered

#4222 Missing cache rebuild on delete report reasons

#4220 Showthread.php - wrong lang variable

#4219 Password Length Settings

#4201 String treated as array

#4197 Inconsistent Access Own Unapproved Posts count may cause thread posts to not be visible

#4192 DB_MySQLi::modify_column does not set default value

#4184 The 'redundant tags on paste of unformatted text' browser-dependent SCEditor bug

#4183 Mass mail: lost radio button selection & illegal string offset warnings

#4182 The 'double quotes in font lists' browser-independent SCEditor bug

#4181 AdminCP > User Email Log should work with other log types

#4175 Profile fields aren't loaded in quick replies

#4173 Show 'edited by' Messages - moderators are not affected

#4171 Filtering by user is incorrect in ACP warning logs

#4167 Repeated code in newreply.php

#4165 Invalid variable in private message templates

#4160 User activity ignored for subscriptions

#4158 Posts with same dateline may be out of order

#4157 Duplicates in user handler insert_user()

#4156 Clearer error messages when internal issues arise.

#4151 New forum permissions not applied

#4147 Attachments directories not deleted when all attachments are removed

#4144 Chosen options from previous Multiple Option Select profile fields displayed on postbit would appear in later ones

#4142 Unclear reason of setting ['-1'] => '1' to $permissioncache which value is null

#4133 Board set to closed after running Tables Check task on PHP >= 7.1

#4125 jGrowl uses a non-standard property zoom which should be replaced

#4123 The level of warnings in your profile leads to usercp.php

#4117 Delete Selected Attachments button is visible if i haven't got any attachments

#4116 If moderator can't warn some user, [Warn] link could be not exists in this profile

#4111 Inconsistent capitalization in online.php

#4107 Inconsistent spaces around "] = " in language files

#4103 Member registration JS validator doesn't use translation for 'required' message

#4097 When 'Hide Private Forums?' is off users can view forum lastpost for forums where can view threads but not forum

#4078 Paste image into SCEditor gives data-uri instead of URL for [img] BBcode

#4074 Nested lists not working properly

#4070 CAPTCHA code improvements

#4048 Send thread uses non admin email to send mail

#4033 Search fails to throw errors if keywords is met with specific criteria

#4026 Attachments aren't parsed in print preview

#4023 Editing help document/section seems doesn't check input

#4005 PM Compose Message - Select from Buddies, Checkbox

#3995 Only parent forum's mod/modcp permissions are used in ModCP

#3927 Add cache busting for CSS

#3873 Update attachment button unnecessarily displayed

#3853 Missing plugin language file for AdminCP prevents from using/entering AdminCP

#3804 Post merge doesn't do check on video/image count

#3792 New report notifications not always shown

#3779 hardcoded SID causes missing CSS when exporting PMs in HTML, after upgrading

#3754 Upload paths inaccuracy

#3738 Allow Link MyCode off still allows links

#3721 Change video default link value "http://" to placeholder

#3711 HTML entities in plain text mails

#3456 Accented char in mybb_theme_colors.xml breaks default theme

#3327 Usergroup permission for being invisible

#2217 Font Size with numbers

#2114 Inefficient thread moderation code - threads queried one by one

#2058 Guests permissions to edit/delete posts/threads

#1758 Can view/reply only own threads and guests

#354 User promoted from a Custom usergroup (via Forum Management) is not displayed as...

Read more: https://mybb.com/versions/1.8.27/



display more versions




1.8.26 (security release)
11 March 2021 - 15MBSecurity

Fixed: Nested Auto URL persistent XSS

Fixed: Theme properties SQL injection

Fixed: Poll vote count SQL injection

Fixed: Forum Management SQL injection

Fixed: Usergroups SQL injection

Fixed: Custom moderator tools reflected XSS

Read more: https://mybb.com/versions/1.8.26/






1.8.25 (security release)
26 February 2021 - 15MBSecurity

Fixed: Nested Email MyCode Persistent XSS

Read more: https://mybb.com/versions/1.8.25/






1.8.24 (security release)
11 August 2020 - 15MBSecurity

High risk: MyCode message formatting XSS in visual editor



Themes

After running the upgrade, make sure to update the version attribute in the codebuttons template for non-default themes.



Templates Changed

codebuttons

Read more: https://mybb.com/versions/1.8.24/






1.8.23 (security release)
20 July 2020 - 15MBFeatures

Added support for hCaptcha, reCAPTCHA v3, APCu, Redis

Improvements related to ACP’s Thread Prefixes management, UTF-8 search, performance

Updates jQuery to 3.5.1



Themes

Content of global.css stylesheet may need updating



Extension Developers

Always use verify_post_check() for my_post_key token verification

Positions of some hooks were changed

"banned" datacache was removed



Security

Medium risk: Anti-CSRF token disclosure in online status location



Bug Fixes

101 issues resolved



Templates Changed

calendar_weekrow_currentday

calendar_weekrow_day

calendar_weekrow_thismonth

codebuttons

editpost

error_nopermission

forumdisplay_thread

header_welcomeblock_guest_login_modal

headerinclude

managegroup_adduser

managegroup_inviteuser

managegroup_user_checkbox

member_profile_adminoptions_manageban

member_profile_contact_fields_skype

member_register

member_register_referrer

member_register_regimage_hcaptcha

member_register_regimage_hcaptcha_invisible

member_resendactivation

memberlist

memberlist_search

modcp_announcements_edit

modcp_announcements_new

modcp_banuser

modcp_finduser

modcp_warninglogs

moderation_delayedmoderation

moderation_threadnotes

multipage_jump_page

mycode_img

post_attachments

post_attachments_attachment_mod_approve

post_attachments_attachment_mod_unapprove

post_attachments_attachment_remove

post_attachments_attachment_unapproved

post_captcha_hcaptcha

post_captcha_hcaptcha_invisible

post_javascript

private_advanced_search

private_send

private_send_autocomplete

search

sendthread

usercp_editlists

usercp_removesubscription_forum

usercp_removesubscription_thread

Read more: https://mybb.com/versions/1.8.23/






1.8.22 (security release)
3 January 2020 - 15MBMyBB 1.8.22 is a security & maintenance release.



Note: this version removes the discontinued Yahoo profile field, which may have been customized for other purposes.



Security

High risk: Installer RCE on settings file write

Medium risk: Arbitrary upload paths & Local File Inclusion RCE

Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data

Low risk: Open redirect on login

Low risk: SCEditor reflected XSS



Bug Fixes

36 issues resolved



Templates Changed

codebuttons

forumdisplay_searchforum

header_quicksearch

member_profile_contact_details

member_referral_row

member_referrals

member_referrals_popup

memberlist_search

modcp_editprofile

moderation_inline_movethreads

portal_search

post_attachments

post_javascript

search

showthread

usercp_changename

usercp_profile_contact_fields

Read more: https://mybb.com/versions/1.8.22/






1.8.21 (security release)
11 June 2019 - 15MBThis is a security and maintenance release for MyBB.



Security

HIGH RISK: Theme import stylesheet name RCE. Reported by Simon Scannell and Robin Peraglie RIPS Technologies.

HIGH RISK: Nested video MyCode persistent XSS. Reported by Simon Scannell and Robin Peraglie RIPS Technologies.

MEDIUM RISK: Find Orphaned Attachments reflected XSS. Reported by Simon Scannell RIPS Technologies.

MEDIUM RISK: Post edit reflected XSS. Reported by adm1nkyj ENKI.

MEDIUM RISK: Private Messaging folders SQL injection. Reported by Alex DiscoveryGC.

LOW RISK: Potential phar deserialization through Upload Path. Reported by Simon Scannell RIPS Technologies.



Bug Fixes

#3696 header_welcomeblock_member_buddy template is not cached

#3693 email insert doesn't work in source mode

#3691 Quote disappears in source mode

#3681 RSS Syndication : Bugs & Improvements

#3680 New hook on recount_rebuild

#3679 Language: use horizontal ellipsis instead of three dots or two dots

#3678 Unique check for per_page on recount_rebuild

#3676 SQL Error When Viewing Unread PMs

#3666 PM search - incorrect folder

#3663 Moved thread link name not changing properly

#3657 Missing CSS-class in referral modal

#3656 SQL Error on Post Update With Removed Attachment

#3651 Recount & Rebuild JS redirect is broken

#3647 Incompatible arguments of DB_Base::modify_column() and DB_Base::rename_column() implementations

#3640 Upgrade jQuery to latest (3.3.1) & related js updates

#3636 JS error - modal template in headerinclude

#3634 Empty folders - message count of unread instead of inbox

#3627 Admin Edit User - Missing external URL

#3625 PHP 7 compatibility - functions_calendar.php

#3614 Posting Limits and Post Moderation

#3613 Clear select2

#3611 Change Usergroup & Hidden Theme Interfering

#3610 BugDoc - Please fix documentation for Attachment Type

#3609 Fulltext Search and Stopwords

#3608 Inconsistent error message

#3604 class_stopforumspamchecker.php uses old API call url

#3601 AdminCP "Report Reasons" not updating cache on `disporder` change

#3598 1.8.20 - unread PMs - pagination

#3596 separator on index page

#3593 Actions on ACP's Awaiting Activation page with no users selected result in PHP Warning

#3591 1.8.20 sceditor font-size change bug

#3590 Empty index operator used on $errors string in Mod CP results in Fatal error with PHP 7.1

#3588 1.8.20 Editor Center issue

#3587 Templates Not Cached at Startup (`global_modqueue` & `global_modqueue_notice`)

#3575 Parser auto link breaks `ftp://` protocol URLs

#3520 Invisible Recaptcha - PW Reset Error

#3383 unable to add images to register questions

#2754 $sourcemode causes page to scroll to editor textarea when set to true via usercp.

#2542 Update SCEditor

Read more: https://mybb.com/versions/1.8.21/






1.8.20 (security release)
4 March 2019 - 15MBThis is a security and maintenance release for MyBB.



Security

Medium risk: Reset Password reflected XSS

Medium risk: ModCP Profile Editor username reflected XSS — reported by Jovan Zivanovic of MaTRIS Research Group, SBA Research

Low risk: Predictable CSRF token for guest users — reported by Devilshakerz of MyBB Team

Low risk: ACP Stylesheet Properties XSS — reported by Cillian Collins

Low risk: Reset Password username enumeration via email — reported by Abdullah Md. Shaleh



Bug Fixes

#3583 MyBB 1.8.20 Editor Is Too Small

#3580 Oversensitive Word Filter

#3578 Threads Awaiting Moderation text overflow and no BBCode parsing

#3556 AJAX removal of attachment is not working

#3554 Smilie select is not working

#3553 Typo when a thread is waiting for approval

#3549 Incorrect "continue" usage in WarningsHandler

#3547 Remove attachments via AJAX

#3546 Consistent JS dialogs and popups

#3545 Upgrade jQuery to jQuery 3.0.0

#3543 UCP - Edit options - lang typo - missing dot

#3538 Member Profiles have Send Email link

#3533 UCP - Forum subscription - change align

#3514 Show only unread private messages

#3512 Forum Team Link should be available globally

#3506 "showthread_printthread" template not cached

#3504 ModCP warninglogs pagination issue

#3501 Lang typos in user_users and moderation lang files

#3486 Missing Moderation Notices

#3483 Add 'exact' option to memberlist username search

#3477 Improve error log details

#3476 Version check does not work

#3473 "index_showteamlink" template not preloaded

#3471 `check_thumbnail_memory` assumes `memory_limit` INI setting always has suffix

#3468 Page Change in Managegroup causes "Division by zero" Error

#3467 css.php - multiple queries

#3461 Bad word filters with 'escaped' parenthesis cause errors as of 1.8.18

#3459 Search feature improvements

#3457 User CP - "lock" folder & folder icon needs to be corrected to "close" icon

#3453 language editor count() warnings on php 7.2

#3449 Add The Ability To View User Referrals To Member Profile

#3443 MyBB ACP - Latest announcements scraping wrong and repeated content

#3441 ACP: Add Hooks To The User Edit Page To Allow Customization

#3436 Resend email verification missing captcha

#3430 ACP settings search option - hardcoded only for english language.

#3419 Thread and posts should not be hidden from the OP when approval is required!

#3417 Last Active shown for hidden users

#3403 New plugin hook in User CP

#3291 Issue with Thread Prefix

#3241 .prop('checked') doesn't trigger change events

#2020 Referrals Are Lost on Account Merge

#1201 Problem clicking links within AdminCP Template-Sets

Read more: https://mybb.com/versions/1.8.20/






1.8.19
18 September 2018 - 15MBThis is a security and maintenance release for MyBB.



Security

High risk: Email field SQL Injection — reported by StefanT

Medium risk: Video MyCode Persistent XSS in Visual Editor — reported by Numan OZDEMIR of InfinitumIT

Low risk: Insufficient permission check in User CP's attachment management — reported by StefanT

Low risk: Insufficient email address verification — reported by StefanT



Bug Fixes

#3429 All smilies should be shown on the full list

#3428 Missing database inserts for engines other than MySQL

#3415 Quick reply auto-subscribes users

#3412 Inconsistent Styling of Restore Button

#3410 Undefined/null values can be passed to my_hash_equals() on forum password check

#3409 my_hash_equals() definition can be missing when evoking for password-protected forums

#3397 Custom Profile Fields - Certain characters not escaped

#3393 grammar issue in upgrade script

Read more: https://mybb.com/versions/1.8.19/






1.8.18 (security release)
29 August 2018 - 15MB1.8.18



This is a security and maintenance release for MyBB.



Security

Image MyCode "alt" attribute persistent XSS

RSS Atom 1.0 item title persistent XSS



Bug Fixes

plus 30 bugs fixed



1.8.17



Bug Fixes

fixed bugs that prevented login to administration



1.8.16



This is a security and maintenance release for MyBB.



Security

Image & URL MyCode Persistent XSS

Multipage Reflected XSS

ACP logs XSS

Arbitrary file deletion via ACP's Settings



Bug Fixes

plus 66 bugs fixed

Read more: https://mybb.com/versions/1.8.18/






1.8.15 (security release)
18 March 2018 - 15MBSecurity

Medium risk: Tasks Local File Inclusion

Medium risk: Forum Password Check Bypass

Low risk: Admin Permissions Group Title XSS

Low risk: Attachment types file extension XSS

Low risk: Moderator Tools XSS

Low risk: Security Questions XSS

Low risk: Settings Management XSS

Low risk: Templates Set Name XSS

Low risk: Usergroup Promotions XSS

Low risk: Warning Types XSS

Read more: https://mybb.com/versions/1.8.15/






1.8.14 (security release)
28 November 2017 - 15MBSecurity

High risk: Language file headers RCE — reported by Julian Rittweger

Low risk: Language Pack Properties XSS — reported by Julian Rittweger

Read more: https://mybb.com/versions/1.8.14/






1.8.13 (security release)
20 November 2017 - 15MBThis release fixes 7 security vulnerabilities and 62 reported issues causing incorrect functionality of MyBB.



Security

Installer RCE on configuration file write

Language file headers RCE

Installer XSS

Mod CP Edit Profile XSS

Insufficient moderator permission check in delayed moderation tools

Announcements HTML filter bypass

Language Pack Properties XSS

Read more: https://mybb.com/versions/1.8.13/






1.8.12 (security release)
22 May 2017 - 15MBThis release fixes 3 security vulnerabilities and 14 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Insufficient permission check in multiquote feature – reported by frostschutz

Medium risk: CSV macro injection on PM export – reported by Rico A. Silvallana

Low risk: Weak password reset codes & false positives – reported by Devilshakerz



Bugs fixed

Redundant  tag in moderation_inline_mergeposts template 1.8 bug s:fixed

Missing closing  tags 1.8 bug s:fixed

Issues with the IM center pop-up 1.8 bug p:normal s:fixed

DB_PgSQL::show_create_table() doesn't list unique keys 1.8 bug pgsql s:fixed

Custom MyCode 1.8 bug s:fixed

Merge hook not working correctly 1.8 bug p:normal s:fixed

Hover on Relative time to Show Exact date/time 1.8 enhancement p:low s:fixed

CURLOPT constants inconsistencies 1.8 bug s:fixed

gethostbynamel() and dns_get_record() may issue unhandled warnings 1.8 bug s:fixed

Upgrade script final step shows invalid title 1.8 bug p:low s:fixed

Short array syntax in fetch_remote_file() raises Parse error on PHP < 5.4 1.8 bug s:fixed

Updation of "What is RSS?" link to https 1.8 enhancement s:fixed

Incorrect post-login redirect URL on private networks and localhost 1.8 bug s:fixed

RSS limit doesn't work in the generated URL - always 15 1.8 bug p:normal s:fixed

Read more: https://blog.mybb.com/2017/05/22/mybb-1-8-12-released-security-maintenance-release/






1.8.11 (security release)
23 April 2017 - 15MBThis release fixes 3 security vulnerabilities and 32 reported issues causing incorrect functionality of MyBB.



Security

High risk: XSS Injection in Email MyCode – reported by Zhiyang Zeng of Tencent security platform department

Medium risk: SSRF protection can be bypassed – reported by Orange Tsai of DEVCORE and Jasveer Singh of SEC Consult Vulnerability Lab

Low risk: Directory Traversal in smilie module – reported by Zhiyang Zeng of Tencent security platform department



Bugs fixed

Bug: mybbuser cookie is set without httponly when changing password

Enhancement: Mod CP - missing plugin hooks

Bug: Issues with Admin Logging and email pruning

Bug: orphaned variable

Enhancement: Add new hook in User CP's Change Avatar section

Bug: Update LiveLeak embed code for HTTPS

Enhancement: Add Referrer-Policy header on ACP pages

Bug: Invalid download link in ACP version check

Enhancement: Missing Plugin Hooks in the ACP

Bug: Wrong link to announcements in ModCP announcement list

Enhancement: New hook in moderation.php to work with moved posts

Bug: Notification email not sent after activation

Enhancement: Rewrite create_password_hash() usage to accept array of password parameters

Bug: PHP 7.1 Illegal string offset warning when editing user profile with custom select fields

Bug: Stats page refreshing issue

Enhancement: Error notice (div.error) styling doesn't match to 1.8 design.

Bug: MyCode same regular expression issue

Bug: Blocked user's soft deleted message issue

Bug: Group promotions bug

Bug: Twitch Videos Start Automatically

Bug: Almost all numeric values greater 9 are set to 9 in "Show All Settings"

Bug: Theme selector leaves GET data in the URL

Bug: GO button in portal search not inline

Bug: last post info is not updating properly

Bug: When viewing own profile via `uid=0`, the username isn't shown

Bug: Todays birthdays issue with deleted user or purged spammer

Bug: Editing of announcements in ModCP doesn't work

Bug: Only one child theme moved up the tree when deleting themes

Bug: Reply button with usernames containing quotes

Bug: Find orphaned attachments shows success when failed

Bug: User ratings not merging when account is merged

Read more: http://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/






1.8.10
10 January 2017 - 15MBThis release fixes 22 reported issues causing incorrect functionality of MyBB.



Bugs fixed

Bug: Deleting a forum and the recount link while using custom admin url,

Bug: Compose a PM - extra space before "Request Read Receipt:"

Bug: Problem Send PM - Member Profile

Bug: Approve/unapprove threads moderator permission broken

Bug: Custom profile field - Show on member profile - OFF is not working

Bug: Who Posted Sorting Links Redirect To New Page

Bug: Missing line break in New Thread post options

Wrong MySQL version detected

Bug: Quoting posts removes moderator options under certain conditions

Bug: File Verification and .txt files

Bug: Contact Details

Bug: Word filter iterates over replacement strings

Add "Mark site as read" into footer (#1583)

Bug: ModCP - Profileditor

Bug: admin modules dubble $sub_tabs

Bug: Invalid values used with operators expecting numbers raise E_WARNING on PHP 7.1

Bug: Last post not updated when approving the first post using inline mod tools

Bug: New reply mod options do not check specific moderator permissions

Enhancement: Add option to set cookies with Secure flag

Bug: Help Documents HTML not parsed in misc.php?action=helpresults

Bug: "Only receive private messages from users on my Buddy List." ineffective when buddy l

Bug: PM disable option

Read more: http://blog.mybb.com/2017/01/10/mybb-1-8-10-released-maintenance-release/






1.8.9 (security release)
6 January 2017 - 15MBThis release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB.



Security

Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz



Bugs fixed

Bug: Collapsed theads

Bug: Empty index operator throws fatal error on PHP 7.1 when used on strings

Bug: Disable edit by timestamp for admins also disables for moderators

Bug: Gravatar link updation

Bug: You have entered an invalid secret PIN.

Bug: XSS in URL BBCode

Bug: Outdated location name on Time Zone

Bug: Outdated MIME types link in Attachment Types configuration

Bug: SQL Error in private.php

Bug: Links executing JS functions should return false and point to javascript.void(0) instead of hashtags

Enhancement: Update `Google Talk` language string to `Google Hangouts`

Enhancement: No Licence file

Bug: Signature preview saves the signature?

Bug: Weird timestamp addition in modcp resulting in integer overflow

Enhancement: No hooks available in password hashing functions

Bug: Delayed moderation - missing lang string for time

Bug: Report Reasons not sent in report PM/email notifications

Bug: Expand/collapse theads not fully implimented

Bug: Invalid table name in Report Reasons

Bug: Redundant " in moderation_delayedmoderation_date_day and modcp_announcements_day

Bug: threads get marked as read by just visiting forum categories

Bug: modcp_announcements_delete

Bug: Fix #2464 Add option to set cookies with Secure flag

Bug: Use a stylesheet for select2.css

Bug: pgsql: Cannot delete theme on postgres

Bug: "Notice: Undefined index: num_threads" when moving threads

Enhancement: Ability to disallow remote avatars

Bug: Missing setting descriptions

Bug: add package.json

Bug: showthread: dropdown-menus respond without "ok" - inconsistency

Bug: can not set permissions on another super admin

Bug: Unable To Perform a Database Backup

Bug: Template group not working.

Bug: Moderation Tools prefix issue

Bug: Check files returns /install missing

Bug: Renaming a stylesheet doesn't recache it

Bug: check tables incorrect if check

Bug: Hello World plugin fails on SQLite and most likely also pgsql

Enhancement: Proposition : enhanced numeric option setting

Bug: Weird global.php is_super_admin() check

Bug: Splitting thread decrease the thread count of user

Bug: Incomplete forum deletion

Bug: "Email Verification & Administrator Activation" usless

Enhancement: Add Deletion Notice

Enhancement: wontfix: Modal & Confirm dialogs

Enhancement: Hide stuff users can't see v2

Bug: CDN In AdminCP

Bug: Line breaks in templates search fails

Bug: Calendar, Week Overview: Week period calculated wrong

Bug: pgsql: Performance Optimization for the function replace_query

Bug: SQL error with Binary pseudo charset

Read more: http://blog.mybb.com/2016/12/21/mybb-1-8-9-released-security-maintenance-release/






1.8.8 (security release)
17 October 2016 - 15MBThis release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Style import CSS overwrite on Windows servers – reported by patryk

Medium risk: SQL Injection in the users data handler – reported by afinepl

Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski

Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam

Low risk: Stored XSS in the ACP – reported by patryk

Low risk: Loose comparison false positives – reported by Devilshakerz

Low risk: Possible XSS injection in ACP users module – reported by afinepl



Bugs fixed

#2473 Bug: No cache handler used on upgrade

#2466 gender neutral pronoun

#2462 Bug: SQL error in Attachment Statistics with ONLY_FULL_GROUP_BY enabled

#2456 Bug: Hash instead of the password at the "forgot my password"

#2455 Enhancement: Essential HTTPS URL changes for *.mybb.com resources

#2447 Bug: SQL error on post split with ONLY_FULL_GROUP_BY enabled

#2446 Bug: Mark All Reports bug

#2443 Bug: MyBB not respecting https:// URLs of certain resources

#2436 Bug: Attachment counter wrong after merging posts

#2434 Bug: missing_username error when editing a deleted user's post

#2431 Bug: Default avatar broken on ACP when using a full URL

#2427 Bug: Admin interface issues on IPv6

#2424 Bug: Fixes #2422 Installation fails on aggressive opcache settings

#2422 Bug: Installation fails on aggressive opcache settings

#2421 Enhancement: Send users who click "chmod" somewhere helpful

#2417 Bug: Upgrade Bug

#2414 Bug: Swapped MCP banning breadcrumbs

#2410 Enhancement: Optimise images with a better algorithm than last time

#2408 Bug: Unclosed cursors leave tables locked on SQLite

#2405 Bug: Using [img align=X] overlaps with postbit_signature

#2402 Bug: ACP path not being removed correctly when sending mail

#2394 Bug: captcha.php using slow CSPRNG

#2389 Bug: Pictures with custom dimensions higher than 999 not shown

#2385 Bug: ACP language and button function error

#2383 Enhancement: Update timezone

#2378 Bug: Report spam possible with PM/E-mail report medium

#2377 Bug: Disabled referral system leads to wrong colspan in memberlist

#2370 Bug: Report notifications ignore moderator groups

#2363 Enhancement: Per theme default avatar

#2357 Bug: BMP images don't work for avatars

#2348 Bug: Useless subscription guest checks in UCP

#2305 Bug: ACP - statistics page - Stats limit not working

#2298 Bug: Weird signature validation conditionals

#2282 Bug: Unlisted "maxreputationsperuser" setting

#2256 Bug: No smilies/post icons

#2251 Bug: Bad words not parsed in breadcrumbs etc.

#2236 Bug: Buddy popup problem when user doesn't have any permissions

#2228 Bug: SCEditor - Duplicate tags after re-election.

#2211 Enhancement: .htaccess  set wrong, no gzip for js

#2167 Bug: Unread indication doesn't work for guests

#2107 Bug: contact form not stripping html code in emails

#2057 Bug: PM folder language problem

#2050 Enhancement: Remove HTML in parser

#2039 Bug: Message after registration English although different language pack is used

#2022 Bug: Close Thread doesn't work via reply

#1988 Bug: Redirect problem with IDN after login

#1810 Enhancement: jGrowl alert types style

#1796 Bug: Delayed moderation - time bug

#1760 Enhancement: Deprecate update_password

#1729 Bug: Outdated CHMOD wiki link (and more docs.mybb.com links)

#1672 Enhancement: Attachment System Enhacements

#1647 Bug: Remove Attachment not working without refresh

#1631 Bug: username's should be htmlspecialchars_uni()'d

#1589 Bug: More proper URL validation

#1223 Enhancement: Report reasons enhancements

#1150 Enhancement: Remove hardcoded HTML v2

#1056 Bug: ACP: Replace hardcoded placeholder language string with an actual language variable

#298 Bug: Login per E-Mail

#259 Bug: User who is member of group that moderates certain (not all) furums is not recog...

Read more: http://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/






1.8.7 (security release)
12 March 2016 - 15MBThis release fixes 13 security vulnerabilities and 83 reported issues causing incorrect functionality of MyBB.



Security

Medium risk: Possible SQL Injection in moderation tool – reported by jamslater

Low risk: Missing permission check in newreply.php – reported by StefanT

Low risk: Possible XSS Injection on login – reported by Devilshakerz

Low risk: Possible XSS Injection in member validation – reported by Tim Coen

Low risk: Possible XSS Injection in User CP – reported by Tim Coen

Low risk: Possible XSS Injection in Mod CP logs – reported by Starpaul20

Low risk: Possible XSS Injection when editing users in Mod CP – reported by Tim Coen

Low risk: Possible XSS Injection when pruning logs in ACP – reported by Devilshakerz

Low risk: Possibility of retrieving database details through templates – reported by Tim Coen

Low risk: Disclosure of ACP path when sending mails from ACP – reported by sarisisop

Low risk: Low adminsid & sid entropy – reported by Devilshakerz

Low risk: Clickjacking in ACP – reported by DingjieYang

Low risk: Missing directory listing protection in upload directories – reported by Tim Coen



Bugs fixed

#2351 Remove "Are You a Human" captcha

#2340 usercp_editlists_user - wrong lang string in title

#2330 Port is not stripped from the generated cookie domain

#2327 Calendar.php displaying wrong user title

#2319 Enable CURLOPT_FOLLOWLOCATION for fetch_remote_file()

#2314 Wrong PM update array code

#2313 Not a good way to update counters

#2312 Registration confirmation emails not being sent

#2310 SQL error when posting new post with custom moderation tool

#2306 SQL error in UserCP's Group Memberships when sql_mode=only_full_group_by

#2301 $theme['disporder'] may be not an array

#2292 Float number passed to mt_srand() on 32-bit systems

#2291 Typo in Email change message

#2288 Missing closing  in template report_error_nomodal

#2287 Prefix - Staff Only = Uneditable

#2285 Ambiguous indirect variable access breaks PHP 7 compatibility

#2283 Missing closing  in template report

#2278 PgSQL error when upgrading from  User Permissions

Read more: http://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/






1.8.6 (security release)
9 September 2015 - 15MBThis release fixes 5 security vulnerabilities and 51 reported issues causing incorrect functionality of MyBB.



Security

Medium Risk: Forum password bypass in xmlhttp.php

Low Risk: SQL Injection in Grouppromotions module (ACP)

Low Risk: Possible XSS Injection in the error handler

Low Risk: Possible XSS issues in old upgrade files

Low Risk: Possible Full Path Disclosure in publicly accessible error log files



Bugs fixed

#2184 Quick edit not working when thread prefix is required

#2178 Question: What are "contants"?

#2171 Find Users should use `escape_string_like()`

#2168 Invalid RE: regex

#2164 output_row() $options['id']

#2163 Post subjects don't work correctly

#2149 Show latin1 as latin 1 and not as cp1252

#2145 Add A Group Leader Doesn't Put Leader In Usergroup

#2143 Parser removes spacing between list elements

#2141 ban_date2timestamp uses supports using timestamp but doesn't use it in date calls

#2129 Editing announcement is broken when global variable "$announcement"

#2126 reCaptcha not work if use SSL (HTTPS)

#2122 Quick reply wrong $postcounter

#2116 mysql

#2115 Inconsistent checks in db classes

#2106 Report Center Bug

#2105 System Email Log Filters

#2093 Sending message to myself with BCC will cause an error

#2091 Custom Profile Field descriptions should be properly escaped

#2084 UserDataHandler::delete_posts report content deletion is redundant.

#2077 Mssing using_remote_avatar language string.

#2076 usercp_avatar HTML syntax error.

#2054 Confusing admin and return mail

#2048 $settings undefined

#2037 Fetching MyBB credits fails -> endless redirection

#2026 Wrong Doc Blocks

#2018 Use queried id instead of input

#2016 Strange behaviour of "find_replace_templatesets"

#2009 Poll options values not saved in editpost.php

#2007 Preview table showing upon error

#2003 Deleting an event in 'editevent' without checking checkbox throws errors

#2001 Calendar does not show errors when adding events

#1999 Adding user in Admin-CP results in wrong timezone

#1978 Send PM: Duplicate check not working for multiple recipients

#1965 Calendar - problem with mini calendar

#1964 Using ||~|~|| in polls breaks poll

#1963 Editing problem in IE11

#1961 require a thread prefix for all threads doesnt work in edit post

#1955 Wrong SCEditor smilie check

#1913 Database export should ignore views

#1912 PM download umlaut problems

#1911 Unnecessary code in functions_post.php

#1906 Wrong information in profile/reputation report PMs

#1838 Birthday bug

#1820 Userhandler still doesn't delete some stuff

#1816 Very inefficient managegroups.php code...

#1793 Random generated password can throw error

#1752 Bypassing Theme Permissions

#1440 Soft delete doesn't show up in mod tools when searching threads

#907 Subject  Max. Char. error on preview

#303 Function insert_id() not working in db_pgsql.php

Read more: http://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/






1.8.5 (security release)
27 May 2015 - 15MBThis release fixes 6 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB.



Security

Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh

Medium Risk: Sender email could be spoofed when sending an email to a user in member.php – reported by onlinedevelopers

Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655

Medium Risk: XSS in quick edit function of xmlhttp.php – reported by TiberiusG

Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666

Low Risk: Use of the U+200E Unicode character to create "duplicate" username – reported by mahdy2021



Bugs fixed

#1997 Single forum/group select settings

#1995 URLs never shortened

#1986 HTML bug in modcp template

#1979 Send PM: Duplicate check inconsistent

#1977 password hash checks should use === and !== instead of == and !=

#1975 JavaScript Error with Multiline Smilies (Disables Editor)

#1957 Grammatical mistake

#1956 Division by zero FPD

#1953 ACP Smilies Mass Editor break all smilies on save.

#1951 grammatical error in admin cp

#1946 Template groups are case sensitive

#1945 Administrator permissions Tools -> Can manage spam logs

#1941 Duplicating a theme doesn't duplicate the templates

#1939 format_avatar caching issue

#1934 Wrong awaitingactivation check

#1933 is_numeric check in Mysql update_query

#1931 Reputation page shows incorrect user title

#1930 Bug in checkbox validation

#1928 Warnings for multiselect/checkbox profile fields

#1926 Upgrades from input - #754

Admin CP language - #690

Disable Default MyCodes - #686

More recount tools - #494

Option to disable contact details - #900

Log all ‘locked out' failures in ACP - #859

Add reported posts stats to ACP - #858

Delayed moderation improvements - #440

New Promotion rules - #429



Front-end: New Theme - #571

CSS buttons, PNG images, Sprite images, Fugue icons - #571

Attachable base colors for themes - #580

Relative Time - #558

Prototype to jQuery Conversion (yay!) - #251

Attachment Types Name - #442

CSS Minification - #564



Front-end: Other

Add ltrim() to search users input - #590

Change trim() in templates to rtrim() - #584

A tool to rebuild reputation - #591

Contact Page - #592 #715

Ability to delete default help topics - #589

If user is invisible & permissions disallow, hide all public data - #593

Post reputation should include thread subject - #594

Remove Gallery; Integrate Gravatar - #582 #586

Delete post on full edit should not show if no permission to delete - #595

Add option to stick/unstick to custom tools - #435

PM thread author in custom tools for threads - #581

Users cannot rate their own posts - #570

format_avatar() function - #569

Whitelist of avatar upload extensions - #568

Preview announcements - #567

Minimum post length to exclude MyCode - #566

IPv6 features - #565

APC cache handler - #574

$cache->delete method - #575

is_member() function - #576

delete_user() function - #408

IP addresses in PMs - #563

Don't ask for validation if validation is disabled - #577

Slow reply posting in long threads - #578

Soft Delete - #560

Login Datahandler - #572

Add theme selector to footer - #496

Forum redirect icon - #453

Permission to reply to own threads - #409

ModCP banned users list descending by default - #138

Quick Reply PM - #437

Poll Updates (Add poll link to thread page; limit of time before a thraed author can no longer add a poll) - #456

Update contact fields - #455

Are You a Human CAPTCHA - #443

Report Center - #556

Ability to sort Private Messages in inbox and other folders - #70

Recount Warning Points - #85

Warning points as a Group Promotion criteria - #88

Registration date and last active time as mass mail criteria - #100

Display profile fields on posts - #133

Add "Display posts in classic mode" option when editing user in Admin CP - #107

Move Edit Time Limit and Max Post Per Day to group settings - #114

Recount Private Messages - #132

Hide members from the Member List - #142

Force redirect page - #550

Searching plugins will highlight vulnerable ones (requires new Mods site) - Commit Link

Update $groupzerogreater array - #809

CDN Compatbility - #776

Goodbye Spammer - #775

Add Time Zones - #764

Thread Count - #761

Buddy System Enhancements - #757

Remove Hardcoded HTML - #756

Database optimization - #738

Overqualified Selectors - #976 #700

Subscription PM notification option - #689

Expand Forum Moderator permissions - #688

Add profile fields on registration - #687

Admin and Email activation option - #685

Publicly shown poll end date - #587

CAPTCHA Improvements - #557

Search Help Files - #497

Invite-only joinable groups - #493

Maximum Nested Quote Tags for PMs - #492

Hide stuff users don't have permission to use - #454

Edit Reason - #451

Add to mycode - #450

User option to disable images/videos - #449

Moderation Tools Improvements - #435

Forum Statistics Improvements - #434 #824

Profile Fields Enhancements - #433

Using update_query with BIT(1) fields - #360

inline_moderation.js friendly to table-less themes - #915

Memberlist sorting - #914

Force Login - #906

Add class to smilies - #905

AJAX for security questions - #894

Add get_user_by_username() helper function - #893

find_replace_templates() accepts SID - #889

$this->options in class_parser.php - #880

Add class to announcements - #879

Make forum friendly to outside pages - #878

Change showthread.php icons to sprite - #877

Add rebuild settings to cache tools - #875

Add email description editing to editor - #869

Add video sites to editor - #862

Check new members against StopForumSpam - #860

Jump to Page in pagination - #857

send_pm() should consider users' language - #834

Image re-scaling and long words/text wrapping CSS/HTML changes - #816

Moderate Groups - #439

Portal Improvements - #436

Moderation Notifications - #430

Thread Prefix system improvements - #427

Ability to Stop tracking all messages - #364

Settings description on installation - #197

Add Template::render method - #1344

Read more: http://blog.mybb.com/2014/09/01/mybb-1-8-released/