14 DAY TRIAL // The open-source forum script’s developers released the MyBB 1.6.6 security update for the 1.6 series to address one major and fourteen low risk issues that may have exposed their customers.
A non-critical security hole that was resolved refers to the ability to import a non-CSS stylesheet. Prior to this update the theme files were not verified to see if they were CSS, the only file types that could be added as a theme.
Other low risk issues included CSRF vulnerabilities on control panel administrator logout, when a stored password was being cleared, when removing a buddy, and while performing Admin CP join requests.
Three similar flaws were identified in the administrator control panel while enabling or disabling Group Promotions, while activating a user, and also, avatars could be changed without permissions.
Cross-site scripting (XSS) vulnerabilities are also present in the previous variants. They were found to affect users when moving an event in the Calendar, but also in the Akismet plugin, in User CP Forum Subscriptions, Mod CP Moderator Logs, when editing attachments in posts and in the Mod CP Edit Announcement.
“These vulnerabilities are exposed either as an unsanitized variable used in the templates/output or attempting to prompt an Administrator into performing actions they never intended to do,” the release notes inform.
An important problem that was addressed in MyBB 1.6.5 refers to the fact that announcements in forums and sub-forums would disappear, which meant that assigning an announcement to a category had no effect.
Before updating to the latest version of MyBB, users are advised to back up all the forum files and the database to ensure that no information may be lost during the transition. All the settings changes, such as edited core files, must be noted in a changelog and redone after the upgrade is performed.
MyBB 1.6.6 is available for download here.