MyBB 1.8.3
MyBB 1.8.3 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 3 low risk vulnerabilities. We recommend everyone upgrades to this release immediately.
What’s added/changed in this version?
The vulnerabilities are:
- High Risk: A SQL injection vulnerability in theme selection (reported by StefanT)
- Medium Risk: A XSS vulnerability in calender.php (reported by -Acid)
- Medium Risk: A XSS vulnerability in MyCode editor (reported by My-BB.Ir)
- Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
- Low Risk: unserialize may call PHP magic methods (reported by chtg)
- Low Risk: PHP setting request_order can break register globals handling (reported by chtg)
Additionally we’ve fixed an issue with the video MyCode introduced with MyBB 1.8.2 (#1625) and revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622). We also plan to add enhanced options to protect the Admin CP like two factor authentication with one of the next maintenance releases.
Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.
Upgrading from 1.8.2 and Other Versions
Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.
To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.
- Download and use the Changed Files Package (MD5: 0bef95fee272b767c3c07584e7af410f)
- Follow the Docs Upgrading Instructions
If you’re using MyBB 1.8.1 or lower
- Download and use the full 1.8.3 Release Package (MD5: 1f5d1246da4174f3b29799eca435d86c)
- Follow the Docs Upgrading Instructions
MyBB 1.6.16
MyBB 1.6.16 is now available from the MyBB website. It fixes 5 low risk vulnerabilities.
What’s added/changed in this version?
The vulnerabilities are:
- Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
- Low Risk: A XSS vulnerability in admin/modules/style/templates.php
- Low Risk: A XSS vulnerability in admin/modules/config/languages.php
- Low Risk: unserialize may call magic methods (reported by chtg)
- Low Risk: request_order can break register globals handling (reported by chtg)
Additionally we’ve revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622).
Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.
Upgrading from 1.6.15 and Other Versions
Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.
To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.
- Download and use the Changed Files Package (MD5: 08d8f6ea9df512a9f2c924409ddb78ce)
- Follow the Docs Upgrading Instructions
If you’re using MyBB 1.6.14 or lower
- Download and use the full 1.6.16 Release Package (MD5: 98e84e5de337843f407a4b58d70253c9)
- Follow the Docs Upgrading Instructions
Reporting MyBB security vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.
Thanks,
MyBB Team
Note about updated package for 1.6.16
Due to a minor issue with the original packages an updated package set has been released.
If you installed or updated your forums using either the full or changed files packages prior to 18:00 p.m. on November 20, 2014 GMT please download a fresh package from the links above and replace the following file:
admin/modules/home/version_check.php
calendar.php (reverted to previous version)
You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.
We apologise of any inconvenience.
MyBB Blog 
Thank you for the continuous support of MyBB.
Thanks
Reblogged this on adamzynoni's Blog and commented:
Thank you mybb. I have successfuly update my site to mybb 1.8.3. It was cool.
Thank you for the continuous support of MyBB.
Pingback: Attack against the community forums prior to 1.8.3 release | MyBB Blog
Thanks
Reblogged this on Getyll Developments.
Please make 1.8 compatible with all 1.6 themes and plugins.
We did our best to minimize compatibility issues but it’s not possible to improve things without breaking themes and plugins.
have just upgraded to 1.6.16 but want to upgrade to 1.8. Looks risky as i have a bigger board.
I want to download themes for 1.8.3 Mybb. From where I can?
Themes are available on our website: http://community.mybb.com/mods.php?action=browse&category=themes