+--------------------------------------------------------------------------------+ | MyBB 1.4 - Security Update Patch File | | (c) 2008 MyBB Group. | | | | This patch file fixes some medium and low risk issues in MyBB 1.4 | | | | Please follow the instructions documented to manually patch your board. | +--------------------------------------------------------------------------------+ =============== 1. global.php =============== Find: -- if($mybb->user['pms_unread'] == 1) { $privatemessage_text = $lang->sprintf($lang->newpm_notice_one, get_profile_link($pm['fromuid']), $pm['fromusername'], $pm['pmid'], $pm['subject']); } else { $privatemessage_text = $lang->sprintf($lang->newpm_notice_multiple, $mybb->user['pms_unread'], get_profile_link($pm['fromuid']), $pm['fromusername'], $pm['pmid'], $pm['subject']); } -- Replace with: -- if($mybb->user['pms_unread'] == 1) { $privatemessage_text = $lang->sprintf($lang->newpm_notice_one, get_profile_link($pm['fromuid']), htmlspecialchars_uni($pm['fromusername']), $pm['pmid'], htmlspecialchars_uni($pm['subject'])); } else { $privatemessage_text = $lang->sprintf($lang->newpm_notice_multiple, $mybb->user['pms_unread'], get_profile_link($pm['fromuid']), htmlspecialchars_uni($pm['fromusername']), $pm['pmid'], htmlspecialchars_uni($pm['subject'])); } -- =============== 2. announcements.php =============== Find: -- $lang->forum_announcement = $lang->sprintf($lang->forum_announcement, $announcementarray['subject']); -- Replace with: -- $lang->forum_announcement = $lang->sprintf($lang->forum_announcement, htmlspecialchars_uni($announcementarray['subject'])); -- =============== 3. admin/inc/class_page.php =============== Find: -- $query_string = htmlspecialchars_uni($query_string); } -- Add After: -- $_SERVER['PHP_SELF'] = htmlspecialchars_uni($_SERVER['PHP_SELF']); -- =============== 4. inc/functions.php =============== Find: -- function join_usergroup($uid, $joingroup) { global $db; -- Add After: -- $uid = intval($uid); -- Also Find: -- function leave_usergroup($uid, $leavegroup) { global $db, $mybb; -- Add After: -- $uid = intval($uid); -- Also Find: -- $location = $_SERVER['PHP_SELF']; } -- Add After: -- $location = htmlspecialchars_uni($location); -- Also Find: -- if(isset($_SERVER['QUERY_STRING'])) { $location .= "?".$_SERVER['QUERY_STRING']; } else if(isset($_ENV['QUERY_STRING'])) { $location = "?".$_ENV['QUERY_STRING']; } -- Replace With: -- if(isset($_SERVER['QUERY_STRING'])) { $location .= "?".htmlspecialchars_uni($_SERVER['QUERY_STRING']); } else if(isset($_ENV['QUERY_STRING'])) { $location .= "?".htmlspecialchars_uni($_ENV['QUERY_STRING']); } -- Also Find: -- $addloc[] = $var.'='.$_POST[$var]; -- Replace with: -- $addloc[] = urlencode($var).'='.urlencode($_POST[$var]); -- ================ 5. inc/datahandlers/post.php ================ Find: -- array_walk($gids, 'intval'); -- Replace with: -- $gids = array_map('intval', $gids); -- Also Find: -- $query = $db->simple_select("posts", "pid", "pid='{$post['replyto']}'"); -- Replace with: -- $query = $db->simple_select("posts", "pid", "pid='".intval($post['replyto'])."'"); -- =============== 6. inc/class_error.php =============== Find: -- if(!headers_sent()) { @header("Content-type: text/html; charset={$charset}"); -- Add After: -- $_SERVER['PHP_SELF'] = htmlspecialchars_uni($_SERVER['PHP_SELF']); -- =============== 8. polls.php =============== Find around line 165: -- if($postoptions['multiple'] != 1) { $postoptions['multiple'] = 0; } if($postoptions['public'] != 1) { $postoptions['public'] = 0; } -- Replace with: -- if($postoptions['multiple'] != '1') { $postoptions['multiple'] = 0; } if($postoptions['public'] != '1') { $postoptions['public'] = 0; } -- Also find around line 464: -- if($postoptions['multiple'] != 1) { $postoptions['multiple'] = 0; } if($postoptions['public'] != 1) { $postoptions['public'] = 0; } if($postoptions['closed'] != 1) { $postoptions['closed'] = 0; } -- Replace with: -- if($postoptions['multiple'] != '1') { $postoptions['multiple'] = 0; } if($postoptions['public'] != '1') { $postoptions['public'] = 0; } if($postoptions['closed'] != '1') { $postoptions['closed'] = 0; } -- Also find around line 793: -- $votesql .= "('".$poll['pid']."','".$mybb->user['uid']."','$voteoption','$now')"; -- Replace with: -- $votesql .= "('".$poll['pid']."','".$mybb->user['uid']."','".$db->escape_string($voteoption)."','$now')"; -- ============== 9. moderation.php ============== Find Both Instances: -- array_walk($posts, 'intval'); -- Replace Both with: -- $posts = array_map('intval', $posts); -- ALSO Find: -- array_walk($threads, 'intval'); -- Replace with: -- $threads = array_map('intval', $threads); -- ============== 10. inc/class_moderation.php ============== Find ALL Instances (5 instances): -- array_walk($pids, 'intval'); -- Replace ALL with: -- $pids = array_map('intval', $pids); -- ALSO Find ALL Instances (11 instances): -- array_walk($tids, 'intval'); -- Replace ALL with: -- $tids = array_map('intval', $tids); -- =============== 11. usercp.php =============== Find: -- array_walk($mybb->input['check'], 'intval'); -- Replace with: -- $mybb->input['check'] = array_map('intval', $mybb->input['check']); -- Also Find: -- $aids = $db->escape_string(implode(",", $mybb->input['attachments'])); -- Replace with: -- $aids = implode(',', array_map('intval', $mybb->input['attachments'])); -- =============== 12. attachments.php =============== Find: -- if($ext == "txt" || $ext == "htm" || $ext == "html" || $ext == "pdf") -- Replace with: -- if(strpos(strtolower($_SERVER['HTTP_USER_AGENT']), "msie") !== false && strpos($attachment['filetype'], "image") === false) -- =============== 13. inc/class_core.php (Version number change) =============== Find: -- /** * The friendly version number of MyBB we're running. * * @var string */ var $version = "1.4.1"; /** * The version code of MyBB we're running. * * @var integer */ var $version_code = 1401; -- Replace with: -- /** * The friendly version number of MyBB we're running. * * @var string */ var $version = "1.4.2"; /** * The version code of MyBB we're running. * * @var integer */ var $version_code = 1402; -- ALL DONE