On MyBB 1.6.3

[Anxiety]

Apparently there was a big security error in 1.6.2 and was exploitable. I want to thank Demise for letting me know, since I had no idea 1.6.3 was released already. He shouted at me until I was on 1.6.3 so yeah, here we go. No real need to announce this, but thought I'd let people know and give Demise some credits :wink:.

-Crayo

 

[GameOver]

Thanks Demise for help Crayo on MyBB 1.6.3 :smile:

 

[Zammyslave]

Oh, interesting. I didn't know it was launched either.

 

[George]

It's good news for Internet Explorer 9 users, since 1.6.3 fixes 3 javascript issues, related to user login, posting and deleting posts, also fixes a MySQL 5.5 issue and potential security hole with search,php

I had to update 26 MyBB forums yesterday, 15 people who paid, rest were friend's forums, took hours.

 

[Flow'n]

Umm thats interesting because when they release it they said it was so much more secure then the .1 version.. Now they are saying it's unsecured. Anyways good news for all like George already said.

 

[George]

Umm thats interesting because when they release it they said it was so much more secure then the .1 version.. Now they are saying it's unsecured. Anyways good news for all like George already said.

When were they saying it's unsecure? If it was unsecure, the development team wouldn't release it. You wouldn't hear that from the MyBB team.

 

[Flow'n]

No duh Geogre.

Crayo didn't flat out say it was unsecure but they said:

apparently there was a big security error in 1.6.2 and was exploitable

So basically its unsecure but you can still use it but it's not the best when theres a better version.

Anyways back on topic.

 

[George]

'Although this is not a security issue, and no SQL injection possibilities have been found, the exposure of the error should be prevented. Note that this only affects "Standard" search systems, and not "Fulltext" search systems.'

So your saying Tom Moore (A developer at MyBB) was lieing to us?

 

[Flow'n]

Anyways back on topic.

The topic is that we were updated to version mybb 1.6.3 no comments about how secure it is and crap like that.

 

[George]

Anyways back on topic.

The topic is that we were updated to version mybb 1.6.3 no comments about how secure it is and crap like that.

It would be nice if you could at least admit you were wrong and don't have a clue what your talking about.

 

[Spaz]

Actually NoReturn is not wrong, it isn't as secure as the .3 according to demise. I don't know exactly but going on this topic and the information posted here it seems .2 isn't as secure as .3, therefore NoReturn isn't wrong in saying it's unsecure, in comparison to .3

No need to go offtopic, we moved onto .3, no need to argue about security here.

 

[George]

Actually NoReturn is not wrong, it isn't as secure as the .3 according to demise. I don't know exactly but going on this topic and the information posted here it seems .2 isn't as secure as .3, therefore NoReturn isn't wrong in saying it's unsecure, in comparison to .3

No need to go offtopic, we moved onto .3, no need to argue about security here.

It wasn't unsecure though, a MyBB developer knows a lot more than Demise does regarding to MyBB.

 

[Flow'n]

George stop arguing with everyone. Your not welcome in this topic any more! Any further post after this another warning will be added.

 

[George]

So what does everything think of the updates to the 1.6x series so far? - Don't delete this, it's not related to security..It's discussion about the update.

 

[Anxiety]

I'll fix all of your comments. There was a SQL Vulnerability in 1.6.2 not in search.php. I won't reveal where it is. Mybb 1.6.3 has patched that up, and is also now compatible with MySQL 5.5.

http://blog.mybb.com/2011/04/17/mybb-1-6-3-and-1-4-16-security-update/

Read that before any of you start saying one is more secure than the other. 1.6.3 is obviously more secure than 1.6.2.

 

[The Elite]

Actually NoReturn is not wrong, it isn't as secure as the .3 according to demise. I don't know exactly but going on this topic and the information posted here it seems .2 isn't as secure as .3, therefore NoReturn isn't wrong in saying it's unsecure, in comparison to .3

No need to go offtopic, we moved onto .3, no need to argue about security here.

It wasn't unsecure though, a MyBB developer knows a lot more than Demise does regarding to MyBB.

And I quote, "This high risk vulnerability is an SQL injection relating to xxx.php, where carefully crafting axxxxx cookie can lead a malicious user to inject SQL via the "xxxx" action."

From a developer himself.