MyBB 1.8.7

11 March 2016

code 1807

SecurityMaintenance

Full Package

Install a new MyBB forum or upgrade from older versions.

.zip – 2.1 MB

Download from MyBB.com

md5:

20fd51c3c8a9cefc54be55a6d3b42c60

Changed Files

Upgrade from the previous version.

.zip – 0.84 MB

Download from MyBB.com

md5:

5542aee753edfd18fc9b9e5783058d9d

How to verify packages

Important Notes

The upgrade script does not need to be run when upgrading to this release with the Changed Files package.

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

Follow the Upgrade Documentation for more detailed instructions.

Security Vulnerabilities Addressed (13)

CWE-89 CVSS:3.1/PR:L Medium risk

Possible SQL Injection in moderation tool

Reported by jamslater

CWE-284 CVSS:3.1/PR:N Low risk

Missing permission check in newreply.php

Reported by StefanT MyBB Team

CWE-79 CVSS:3.1/PR:N Low risk

Possible XSS Injection on login

Reported by Devilshakerz MyBB Team

CWE-79 CVSS:3.1/PR:N Low risk

Possible XSS Injection in member validation

Reported by Tim Coen

CWE-79 CVSS:3.1/PR:L Low risk

Possible XSS Injection in User CP

Reported by Tim Coen

CWE-79 CVSS:3.1/PR:L Low risk

Possible XSS Injection in Mod CP logs

Reported by Starpaul20 MyBB Team

CWE-79 CVSS:3.1/PR:L Low risk

Possible XSS Injection when editing users in Mod CP

Reported by Tim Coen

CWE-79 CVSS:3.1/PR:H Low risk

Possible XSS Injection when pruning logs in ACP

Reported by Devilshakerz MyBB Team

CWE-200 CVSS:3.1/PR:H Low risk

Possibility of retrieving database details through templates

Reported by Tim Coen

CWE-200 CVSS:3.1/PR:N Low risk

Disclosure of ACP path when sending mails from ACP

Reported by sarisisop

CWE-334 CVSS:3.1/PR:N Low risk

Low adminsid & sid entropy

Reported by Devilshakerz MyBB Team

CWE-1021 CVSS:3.1/PR:N Low risk

Clickjacking in ACP

Reported by DingjieYang

CWE-548 CVSS:3.1/PR:N Low risk

Missing directory listing protection in upload directories

Reported by Tim Coen

Issues Resolved (83)

View issues on GitHub

[{"admin":[{"inc":["class_form.php","class_page.php","functions.php"]},{"modules":[{"config":["settings.php"]},{"forum":["management.php"]},{"style":["themes.php"]},{"tools":["adminlog.php","backupdb.php","modlog.php","recount_rebuild.php","spamlog.php","system_health.php"]},{"user":["admin_permissions.php","banning.php","groups.php","users.php"]}]},"index.php"]},{"archive":["index.php"]},{"inc":[{"cachehandlers":["apc.php","disk.php","eaccelerator.php","interface.php","memcache.php","memcached.php","xcache.php"]},{"datahandlers":["post.php","user.php","warnings.php"]},{"languages":[{"english":[{"admin":["global.lang.php","user_banning.lang.php"]},"archive.lang.php","forumdisplay.lang.php","global.lang.php","managegroup.lang.php","member.lang.php","memberlist.lang.php","messages.lang.php","misc.lang.php","modcp.lang.php","newthread.lang.php","private.lang.php","search.lang.php","usercp.lang.php"]},"english.php"]},{"mailhandlers":["php.php","smtp.php"]},{"tasks":["dailycleanup.php"]},"class_captcha.php","class_core.php","class_custommoderation.php","class_datacache.php","class_error.php","class_language.php","class_mailhandler.php","class_moderation.php","class_parser.php","class_session.php","db_mysql.php","db_mysqli.php","functions.php","functions_forumlist.php","functions_post.php","functions_search.php","functions_task.php","functions_upload.php","functions_user.php","functions_warnings.php"]},{"install":[{"resources":["mybb_theme.xml","mysql_db_tables.php","output.php","pgsql_db_tables.php","settings.xml","sqlite_db_tables.php","tasks.xml","upgrade13.php","upgrade26.php","upgrade35.php"]},"index.php"]},{"jscripts":[{"select2":["select2.css"]},"general.js","inline_moderation.js"]},"calendar.php","contact.php","editpost.php","forumdisplay.php","global.php","managegroup.php","member.php","misc.php","modcp.php","newreply.php","newthread.php","polls.php","printthread.php","private.php","ratethread.php","reputation.php","search.php","sendthread.php","showthread.php","usercp.php","usercp2.php","warnings.php","xmlhttp.php"]

Changed Files ()

Changed Language Files (15)

There are changes to 15 language file(s). Changed languages files can be cross-referenced from the list above.

Changed Templates (40)

forumdisplay
forumdisplay_inlinemoderation
forumdisplay_nopermission
headerinclude
managegroup
managegroup_adduser
managegroup_inviteuser
member_profile
member_profile_findposts
member_profile_findthreads
member_register
member_register_referrer
memberlist
memberlist_search
misc_imcenter_skype
misc_whoposted_poster
modcp_banuser
modcp_finduser
modcp_warninglogs
polls_editpoll
post_attachments_attachment
post_attachments_new
private_advanced_search
private_send_autocomplete
report
report_error_nomodal
search
search_results_posts_inlinemoderation
search_results_posts_post
search_results_threads_inlinemoderation
showthread_inlinemoderation
usercp_currentavatar
usercp_editlists
usercp_editlists_user
usercp_subscriptions
video_dailymotion_embed
video_metacafe_embed
video_myspacetv_embed
video_vimeo_embed
video_yahoo_embed