MyBB 1.8.8
17 October 2016
MyBB version 1.8.8 is now available (security release).
Upgrading to MyBB 1.8.8
MyBB 1.8.8 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MyBB updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MyBB install to test the 1.8.8 upgrade prior to applying it live. Get started managing your MyBB installations with Installatron
What's New in MyBB 1.8.8
This release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB.
Security
- Medium risk: Style import CSS overwrite on Windows servers – reported by patryk
- Medium risk: SQL Injection in the users data handler – reported by afinepl
- Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski
- Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam
- Low risk: Stored XSS in the ACP – reported by patryk
- Low risk: Loose comparison false positives – reported by Devilshakerz
- Low risk: Possible XSS injection in ACP users module – reported by afinepl
Bugs fixed
- #2473 Bug: No cache handler used on upgrade
- #2466 gender neutral pronoun
- #2462 Bug: SQL error in Attachment Statistics with ONLY_FULL_GROUP_BY enabled
- #2456 Bug: Hash instead of the password at the "forgot my password"
- #2455 Enhancement: Essential HTTPS URL changes for *.mybb.com resources
- #2447 Bug: SQL error on post split with ONLY_FULL_GROUP_BY enabled
- #2446 Bug: Mark All Reports bug
- #2443 Bug: MyBB not respecting https:// URLs of certain resources
- #2436 Bug: Attachment counter wrong after merging posts
- #2434 Bug: missing_username error when editing a deleted user's post
- #2431 Bug: Default avatar broken on ACP when using a full URL
- #2427 Bug: Admin interface issues on IPv6
- #2424 Bug: Fixes #2422 Installation fails on aggressive opcache settings
- #2422 Bug: Installation fails on aggressive opcache settings
- #2421 Enhancement: Send users who click "chmod" somewhere helpful
- #2417 Bug: Upgrade Bug
- #2414 Bug: Swapped MCP banning breadcrumbs
- #2410 Enhancement: Optimise images with a better algorithm than last time
- #2408 Bug: Unclosed cursors leave tables locked on SQLite
- #2405 Bug: Using [img align=X] overlaps with postbit_signature
- #2402 Bug: ACP path not being removed correctly when sending mail
- #2394 Bug: captcha.php using slow CSPRNG
- #2389 Bug: Pictures with custom dimensions higher than 999 not shown
- #2385 Bug: ACP language and button function error
- #2383 Enhancement: Update timezone
- #2378 Bug: Report spam possible with PM/E-mail report medium
- #2377 Bug: Disabled referral system leads to wrong colspan in memberlist
- #2370 Bug: Report notifications ignore moderator groups
- #2363 Enhancement: Per theme default avatar
- #2357 Bug: BMP images don't work for avatars
- #2348 Bug: Useless subscription guest checks in UCP
- #2305 Bug: ACP - statistics page - Stats limit not working
- #2298 Bug: Weird signature validation conditionals
- #2282 Bug: Unlisted "maxreputationsperuser" setting
- #2256 Bug: No smilies/post icons
- #2251 Bug: Bad words not parsed in breadcrumbs etc.
- #2236 Bug: Buddy popup problem when user doesn't have any permissions
- #2228 Bug: SCEditor - Duplicate tags after re-election.
- #2211 Enhancement: .htaccess <IfModule mod_filter.c> set wrong, no gzip for js
- #2167 Bug: Unread indication doesn't work for guests
- #2107 Bug: contact form not stripping html code in emails
- #2057 Bug: PM folder language problem
- #2050 Enhancement: Remove HTML in parser
- #2039 Bug: Message after registration English although different language pack is used
- #2022 Bug: Close Thread doesn't work via reply
- #1988 Bug: Redirect problem with IDN after login
- #1810 Enhancement: jGrowl alert types style
- #1796 Bug: Delayed moderation - time bug
- #1760 Enhancement: Deprecate update_password
- #1729 Bug: Outdated CHMOD wiki link (and more docs.mybb.com links)
- #1672 Enhancement: Attachment System Enhacements
- #1647 Bug: Remove Attachment not working without refresh
- #1631 Bug: username's should be htmlspecialchars_uni()'d
- #1589 Bug: More proper URL validation
- #1223 Enhancement: Report reasons enhancements
- #1150 Enhancement: Remove hardcoded HTML v2
- #1056 Bug: ACP: Replace hardcoded placeholder language string with an actual language variable
- #298 Bug: Login per E-Mail
- #259 Bug: User who is member of group that moderates certain (not all) furums is not recog...