MyBB 1.6.10
22 April 2013
MyBB version 1.6.10 is now available (security release).
Upgrading to MyBB 1.6.10
MyBB 1.6.10 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MyBB updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MyBB install to test the 1.6.10 upgrade prior to applying it live. Get started managing your MyBB installations with Installatron
What's New in MyBB 1.6.10
This release fixes 7 vulnerabilities and over 95 reported issues causing incorrect functionality of MyBB.
A considerable amount of effort has been put in to MyBB 1.6.10 to fix a myraid of issues with PHP 5.4. This is the main reason why the release has been delayed until now. MyBB 1.6.10 should now be compatible with PHP 5.4 hosts.
Vulnerabilities:
- Low Risk: Potential SQL Injection when optimizing the database – reported by Jakub Galczyk
- Low Risk: Potential SQL Injection when creating the database backups – reported by StefanT
- Low Risk: Potential XSS vulnerability in theme name – reported by pandaa
- Low Risk: Improper permission checks for forums where you can only see your own threads – reported by Jordan Mussi and StefanT
- Non Critical: XSS vulnerability on debug page – reported by 1llusion
- Non Critical: Improper input validation in modcp.php – reported by 1llusion
- Non Critical: Improper input validation in calendar.php – reported by Jakub Galczyk
Fixed issues in 1.6.10:
- Bug #798: Moderated Users get no Message on new Thread
- Bug #956: Quote tags don't work if username contains a ]
- Bug #1309: 'caneditattachments' not checked anywhere
- Bug #1489: Archive mode and SE friendly URLs
- Bug #1587: Clear cookies link in Help section
- Bug #1672: Feeds not working with 'can only view own threads"
- Bug #1739: Inconsistent behaviour in autocomplete.js
- Bug #1748: inline-edit.js cancel (escape) doesn't work
- Bug #1751: Unapproved posts are edit-/deletable
- Bug #1760: Invalid poll showing invalid forum
- Bug #1841: Self Rep is Disabled so ...
- Bug #1848: events don't show up in calendar
- Bug #1858: $lang->all_selected on search.php
- Bug #1865: Admin cp "Show Referrers" issue
- Bug #1867: Move Event language bug
- Bug #1868: Moderation redirects should respect SEF URLs
- Bug #1872: Private Messaging folder names and htmlspecialchars_uni()
- Bug #1876: User CP language error bug
- Bug #1881: Mod CP Add Announcement has wrong title
- Bug #1888: Poll Show Results Total Votes
- Bug #1892: Akismet plugin page has a double colon
- Bug #1897: Unneeded query within usercp.php
- Bug #1898: Unnecessary htmlspecialchars_uni() usage in usercp.php
- Bug #1899: Admin CP language management - PHP warning on invalid file
- Bug #1904: Orphaned attachments never show up, and a wrong message appears
- Bug #1911: Issues with PM Export (Download Messages)
- Bug #1921: ip search on ipv4 addresses above 127.*.*.* fail
- Bug #1923: GIF transparency in functions_image.php (MyBB 1.6.5)
- Bug #1947: File verification issue
- Bug #1948: Add to ignore list shows success message on failure
- Bug #1968: PHP warning after saving Preferences
- Bug #1969: PHP warning while adding multiple post icons
- Bug #1970: MSN Bot is retired
- Bug #1977: Lang Bug datahander.lang.php
- Bug #1979: Incorrect language string used with sign-in attempt captcha
- Bug #1986: Found two unnecessary error templates
- Bug #1989: Incorrect "Default User Title" in Profile Editor
- Bug #1990: No error message for wrong dates in announcement add/edit
- Bug #1991: Dead link "Download AIM"
- Bug #2006: No recipient in Sent Items PM folder
- Bug #2007: Try access to undeclared array fields in DefaultTable class
- Bug #2010: is_dst deprecated in PHP 5.1
- Bug #2012: PHP warning in functions_calendar.php
- Bug #2013: SQL error on Poll edit
- Bug #2017: wrong chronological order at multiquote
- Bug #2020: Thread Ratings are not deleted when thread is deleted
- Bug #2021: modcp.php and Multipages
- Bug #2024: N/A thread subject in modcp -> allreports (MyBB 1.6.8)
- Bug #2025: get_current_location($fields=true) not handled properly
- Bug #2027: $newpmmsg never set anywhere
- Bug #2028: SAPI_NAME constant?
- Bug #2029: IN_ARCHIVE constant not checked correctly
- Bug #2030: lastip_add undefined
- Bug #2031: $orderarrow['rating'] is never set
- Bug #2032: $tid confusion
- Bug #2033: $allselected never defined
- Bug #2038: 'Can track sent private messages?' setting is not having the desired effect
- Bug #2042: Last Post and View Only Own Threads
- Bug #2049: Errors when changing announcements
- Bug #2050: Inline styles within HTML Posts
- Bug #2055: [size] ignored when used with [align] on quick edit
- Bug #2060: When changing default sorting option from "last post" to something else, pagination no longer works when viewing forum by "last post" sorting
- Bug #2068: Per-Page Property In Edit Mass Mailing Does not Save.
- Bug #2069: Errors in PHP 5.4.4-2 Linux (Debian)
- Bug #2073: Upgrade <= 1.4.4 fails
- Bug #2074: Delayed Moderation does not show properly in queue (thread notes)
- Bug #2076: SQL error on "subscriptions"
- Bug #2077: Lack of validation when updating birthday privacy options
- Bug #2079: last visit doesn't use localized comma
- Bug #2081: Archive No Permissions page does not register correctly on WOL
- Bug #2087: Portal does not consider empty FID list for announcements, thus wastes one query
- Bug #2088: memory_get_peak_usage() problems
- Bug #2091: Editing announcements with an error makes the date disappear.
- Bug #2096: Banned user's username not in mod logs when updating a ban and wrong action
- Bug #2097: Word censor in replying to PMs
- Bug #2098: Loading language as datahandler is bugged.
- Bug #2106: Diff Report error.
- Bug #2107: Typo in search.php for lock icon
- Bug #2108: Search Bug with Limits
- Bug #2111: SQL error in class_moderation.php
- Bug #2113: Illegal string offset in get_forum_lightbulb function
- Bug #2114: New/Imported templates not checked for vulnerabilities
- Bug #2117: COPPA form - hardcoded "Date"
- Bug #2119: Captcha and Preview Post
- Bug #2120: Captcha while Login
- Bug #2121: Update 3rd Party Libraries
- Bug #2138: posthash optimization
- Bug #2145: Unable to connect to mail server HTML sanitization
- Bug #2148: User research - unescaped text
- Bug #2152: Video MyCode update
- Bug #2153: Who's online list not working
- Bug #2180: PHP errors when attempting to send Mass Mail
- Feature #1726: Spam Ninja Updates
- Feature #2147: Verify_recipient() runs one query per user