MyBB 1.8.7
12 March 2016
MyBB version 1.8.7 is now available (security release).
Upgrading to MyBB 1.8.7
MyBB 1.8.7 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MyBB updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MyBB install to test the 1.8.7 upgrade prior to applying it live. Get started managing your MyBB installations with Installatron
What's New in MyBB 1.8.7
This release fixes 13 security vulnerabilities and 83 reported issues causing incorrect functionality of MyBB.
Security
- Medium risk: Possible SQL Injection in moderation tool – reported by jamslater
- Low risk: Missing permission check in newreply.php – reported by StefanT
- Low risk: Possible XSS Injection on login – reported by Devilshakerz
- Low risk: Possible XSS Injection in member validation – reported by Tim Coen
- Low risk: Possible XSS Injection in User CP – reported by Tim Coen
- Low risk: Possible XSS Injection in Mod CP logs – reported by Starpaul20
- Low risk: Possible XSS Injection when editing users in Mod CP – reported by Tim Coen
- Low risk: Possible XSS Injection when pruning logs in ACP – reported by Devilshakerz
- Low risk: Possibility of retrieving database details through templates – reported by Tim Coen
- Low risk: Disclosure of ACP path when sending mails from ACP – reported by sarisisop
- Low risk: Low adminsid & sid entropy – reported by Devilshakerz
- Low risk: Clickjacking in ACP – reported by DingjieYang
- Low risk: Missing directory listing protection in upload directories – reported by Tim Coen
Bugs fixed
- #2351 Remove "Are You a Human" captcha
- #2340 usercp_editlists_user - wrong lang string in title
- #2330 Port is not stripped from the generated cookie domain
- #2327 Calendar.php displaying wrong user title
- #2319 Enable CURLOPT_FOLLOWLOCATION for fetch_remote_file()
- #2314 Wrong PM update array code
- #2313 Not a good way to update counters
- #2312 Registration confirmation emails not being sent
- #2310 SQL error when posting new post with custom moderation tool
- #2306 SQL error in UserCP's Group Memberships when sql_mode=only_full_group_by
- #2301 $theme['disporder'] may be not an array
- #2292 Float number passed to mt_srand() on 32-bit systems
- #2291 Typo in Email change message
- #2288 Missing closing </td> in template report_error_nomodal
- #2287 Prefix - Staff Only = Uneditable
- #2285 Ambiguous indirect variable access breaks PHP 7 compatibility
- #2283 Missing closing </td> in template report
- #2278 PgSQL error when upgrading from <= 1.6.9
- #2276 Redundant </a> in template "misc_whoposted_poster"
- #2274 UTF8 Conversion doesn't work for languages that comma != `,`
- #2266 Editing user in ACP resets select profile fields with ampersands
- #2264 Missing script type in member_register & forumdisplay template
- #2262 Missing closing </tr> in template polls_editpoll
- #2257 Default search doesn't find word with apostrophes
- #2237 Round corners in child tables inconsistent
- #2235 Smilies "Show on clickable list?" doesn't work
- #2234 MyBB logo on error page broken
- #2233 Fix #2232 URLs with & and () and without protocol not parsed
- #2232 [Regex] Why "&" disallowed in url-BB-Code
- #2231 Deprecate get_alt_bg()
- #2224 Can't moderate quick reply posts - missing checkbox
- #2223 Missing title tag for search_results_posts_post
- #2220 Delete themestylesheet
- #2214 Wrong error message
- #2212 Odd code in functions_warnings.php
- #2209 Stats Cache Builder Bug
- #2206 usercp line 3222 error
- #2203 Click and Hold erases thread prefix in 1.8.6
- #2199 Reputation confirmation modal sometimes remains on the screen in 1.8.6
- #2197 Poor INFORMATION_SCHEMA.TABLES querying performance in DB list_tables() and table_exists()
- #2196 Subjects escaped twice in newreply.php
- #2191 Issue with user awaiting activation
- #2183 subscriptionkey unnececary?
- #2147 Task Manager does not work
- #2142 Hide "Last Post" for password-protected forums by default
- #2132 video codes may not be loaded correctly
- #2128 sessions - useragent column still varchar(100) ?
- #2113 Attachment buttons doubled lined
- #2104 ACP rebuilding thumbnails ignores uploadpath
- #2103 Undefined variable in warnings datahandlers
- #2102 Cache classes and their constructors
- #2101 MailHandler accesses variables defined in SMTP
- #2096 1.8 upgrade on page header javascript format error
- #2090 $post['button_find'] doesn't check for permissions.
- #2089 Large backups, greater than PHP memory limit, fail
- #2088 New thread redirect is wrong.
- #2085 UserDataHandler::clear_profile
- #2081 Wrong label & tooltip for "New Posts" icon beneath "Subscribed Threads" list
- #2074 Rating an unapproved post
- #2072 Last Post Issue
- #2071 Inline moderation on classic mode.
- #2069 Search by Username container width
- #2068 HTML allowed - some weird replacements
- #2064 Inducing PHP Warning in User management
- #2051 Wrong is_member() negation
- #2046 URL improvements for Gravatar
- #2043 Use protocol relative URLs for video MyCode
- #2042 Skype status icon broken
- #2036 warnings.php wrong $lang-> for errors
- #1992 send_pm bug in ACP
- #1989 IP Search shows moderators thread titles even if they have no permission there.
- #1982 Missing $lang->error_invalidsearch
- #1981 $this->delete_uids can be empty and throw SQL error
- #1980 Nonexistent usernames cause invalid SQL on Search
- #1974 Weird default user pruning task value
- #1947 checkbox setting type doesn't work as expected.
- #1885 Who Posted not considering soft deleted posts.
- #1832 Numeric fields - default values lower than minimum
- #1817 managegroups.php pagination
- #1807 search.php doesn't consider canviewdeleted mod permission
- #1797 Database optimization v2
- #1578 PM subscriptions wrong username
- #1567 It's impossible to send a PM to a user with a short username
- #1395 SQL error in Admin Permissions -> User Permissions