+--------------------------------------------------------------------------------+ | MyBB 1.6.1 - Security Update Patch File | | (c) 2010 MyBB Group. | | | | This patch file fixes two medium risk security issues with 1.6.1 | | | | Please follow the instructions documented to manually patch your board. | +--------------------------------------------------------------------------------+ =============== 1. admin/modules/tools/modlog.php =============== Find: -- while($logitem = $db->fetch_array($query)) { $information = ''; $logitem['dateline'] = date("jS M Y, G:i", $logitem['dateline']); $trow = alt_trow(); $username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']); -- Replace with: -- while($logitem = $db->fetch_array($query)) { $information = ''; $logitem['action'] = htmlspecialchars_uni($logitem['action']); $logitem['dateline'] = date("jS M Y, G:i", $logitem['dateline']); $trow = alt_trow(); $username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']); -- =============== 2. inc/class_parser.php =============== Remove: -- // Remove these completely $message = preg_replace("#\s*]*>\s*#is", "", $message); $message = preg_replace("#\s*]*>\s*#is", "", $message); -- Find: -- if($this->options['allow_mycode']) { // Now that we're done, if we split up any code tags, parse them and glue it all back together if(count($code_matches) > 0) { foreach($code_matches as $text) { // Fix up HTML inside the code tags so it is clean if($options['allow_html'] != 0) { $text[2] = $this->parse_html($text[2]); } if(my_strtolower($text[1]) == "code") { $code = $this->mycode_parse_code($text[2]); } -- Replace with: -- if($this->options['allow_mycode']) { // Now that we're done, if we split up any code tags, parse them and glue it all back together if(count($code_matches) > 0) { foreach($code_matches as $text) { if(my_strtolower($text[1]) == "code") { $code = $this->mycode_parse_code($text[2]); } -- Find: -- if($options['nl2br'] !== 0) -- Replace with: -- // Replace meta and base tags in our post - these are > dangerous < if($this->options['allow_html']) { $message = preg_replace_callback("#<((m[^a])|(b[^diloru>])|(s[^aemptu>]))(\s*[^>]*)>#si", create_function( '$matches', 'return htmlspecialchars($matches[0]);' ), $message); } if($options['nl2br'] !== 0) -- Find: -- "#(&\#(0*)106;|&\#(0*)74;|j)((&\#(0*)97;|&\#(0*)65;|a)(&\#(0*)118;|&\#(0*)86;|v)(&\#(0*)97;|&\#(0*)65;|a)(\s)?(&\#(0*)115;|&\#(0*)83;|s)(&\#(0*)99;|&\#(0*)67;|c)(&\#(0*)114;|&\#(0*)82;|r)(&\#(0*)105;|&\#(0*)73;|i)(&\#112;|&\#(0*)80;|p)(&\#(0*)116;|&\#(0*)84;|t)(&\#(0*)58;|\:))#i", -- Replace with: -- ""#(&\#(0*)106;?|&\#(0*)74;?|&\#x(0*)4a;?|&\#x(0*)6a;?|j)((&\#(0*)97;?|&\#(0*)65;?|a)(&\#(0*)118;?|&\#(0*)86;?|v)(&\#(0*)97;?|&\#(0*)65;?|a)(\s)?(&\#(0*)115;?|&\#(0*)83;?|s)(&\#(0*)99;?|&\#(0*)67;?|c)(&\#(0*)114;?|&\#(0*)82;?|r)(&\#(0*)105;?|&\#(0*)73;?|i)(&\#112;?|&\#(0*)80;?|p)(&\#(0*)116;?|&\#(0*)84;?|t)(&\#(0*)58;?|\:))#i", -- =============== 3. jscripts/validator.js =============== Find: -- new Ajax.Request(options.url, {method:'post', postBody:"value=" + encodeURIComponent(value) + extra, onComplete: function(request) { this.ajaxValidateComplete(id, options, request); }.bind(this)}); -- Replace with: -- new Ajax.Request(options.url, {method:'post', postBody:"value=" + encodeURIComponent(value) + extra + "&my_post_key=" + my_post_key, onComplete: function(request) { this.ajaxValidateComplete(id, options, request); }.bind(this)}); -- =============== 4. modcp.php =============== There are two places to change here - each with the same code. Find the two instances of: -- while($logitem = $db->fetch_array($query)) { $information = ''; $log_date = my_date($mybb->settings['dateformat'], $logitem['dateline']); $log_time = my_date($mybb->settings['timeformat'], $logitem['dateline']); $trow = alt_trow(); -- Replace each with: -- while($logitem = $db->fetch_array($query)) { $information = ''; $logitem['action'] = htmlspecialchars_uni($logitem['action']); $log_date = my_date($mybb->settings['dateformat'], $logitem['dateline']); $log_time = my_date($mybb->settings['timeformat'], $logitem['dateline']); $trow = alt_trow(); -- =============== 5. xmlhttp.php =============== Find: -- else if($mybb->input['action'] == "username_availability") { -- Replace with: -- else if($mybb->input['action'] == "username_availability") { if(!verify_post_check($mybb->input['my_post_key'], true)) { xmlhttp_error($lang->invalid_post_code); } -- Find: -- $lang->username_taken = $lang->sprintf($lang->username_taken, $username); -- Replace with: -- $lang->username_taken = $lang->sprintf($lang->username_taken, htmlspecialchars_uni($username)); -- Find: -- $lang->username_available = $lang->sprintf($lang->username_available, $username); -- Replace with: -- $lang->username_available = $lang->sprintf($lang->username_available, htmlspecialchars_uni($username)); -- Find: -- else if($mybb->input['action'] == "username_exists") { -- Replace with: -- else if($mybb->input['action'] == "username_exists") { if(!verify_post_check($mybb->input['my_post_key'], true)) { xmlhttp_error($lang->invalid_post_code); } -- Find: -- $lang->valid_username = $lang->sprintf($lang->valid_username, $username); -- Replace with: -- $lang->valid_username = $lang->sprintf($lang->valid_username, htmlspecialchars_uni($username)); -- =============== 6. inc/class_core.php =============== Find: -- public $version = "1.6.1"; -- Replace with: -- public $version = "1.6.2"; -- Find: -- public $version_code = 1601; -- Replace with: -- public $version_code = 1602; -- =============== 7. member.php =============== This edit is originally from 1.6.0 -> 1.6.1 changed files. It is here to ensure the member.php security patch is applied to your forum. Find: -- // Redirect to the page where the user came from, but not if that was the login page. if($mybb->input['url'] && !preg_match("/action=login/i", $mybb->input['url'])) { $redirect_url = htmlentities($mybb->input['url']); } elseif($_SERVER['HTTP_REFERER']) { $redirect_url = htmlentities($_SERVER['HTTP_REFERER']); } -- Replace with: -- // Redirect to the page where the user came from, but not if that was the login page. if($_SERVER['HTTP_REFERER'] && strpos($_SERVER['HTTP_REFERER'], "action=login") === false) { $redirect_url = htmlentities($_SERVER['HTTP_REFERER']); } else { $redirect_url = ''; } -- ALL DONE