1.1.8
Due to 3 low risk browser based cross-site scripting vulnerability found in MyBB, we're releasing a security update to the MyBB 1.1.x series. The vulnerabilities include:
- Avatar / Attachment script insertion vulnerability (only affects users using Internet Explorer and directly accessing a malformed avatar or attachment
- Cross-site scripting vulnerability on Admin CP login form (imei Web Security)
- [url] tag cross site scripting vulnerability with unicode and malformed URL (imei Web Security)
The release on the MyBB site has also been updated to 1.1.8.
A list of changed files and manual patching instructions can be found at the link below. All users are urged to update to this release.
Beta testers running 1.2:You're only affected by the first vulnerability (IE specific). Please see the beta forum for an updated beta release.
Warning to web application developers: The first vulnerability affects many web applications. You need to ensure that if you allow file uploads (such as images) that you're correctly checking the file upload type, the actual image type and the file extension.
The vulnerability is performed by spoofing the headers of an uploaded image and providing it with a different filename which causes Internet Explorer to locally execute any markup in the image.
| 2.0.x | In Planning
|
| 1.6.x | Under Development
|
| 1.4.x | 1.4.11 - 1.4.10 - 1.4.9 - 1.4.8 - 1.4.7 - 1.4.6 - 1.4.5 - 1.4.4 - 1.4.3 - 1.4.2 - 1.4.1 - 1.4.0 |
| 1.2.x | 1.2.14 - 1.2.13 - 1.2.12 - 1.2.11 - 1.2.10 - 1.2.9 - 1.2.8 - 1.2.7 - 1.2.6 - 1.2.5 - 1.2.4 - 1.2.3 - 1.2.2 - 1.2.1 - 1.2.0 |
| 1.1.x / 1.0x | 1.1.8 - 1.1.7 - 1.1.6 - 1.1.5 - 1.1.4 - 1.1.3 - 1.1.2 - 1.1.1 - 1.1.0 - 1.04 - 1.03 - 1.02 - 1.01 - 1.00 |
| Pre-1.0 | PR2 - PR1 - RC4 - RC3 - RC2 - RC1 - Beta 4 - DevBB |
| Legend | In Planning Development / Beta / Private Latest Public Release |