• Welcome to ForumKorner!
    Join today and become a part of the community.

On MyBB 1.6.3

Anxiety

User is banned.
Joined
Mar 19, 2011
Posts
3,338
Reacts
0
Reputation
0
Credits
0
Apparently there was a big security error in 1.6.2 and was exploitable. I want to thank Demise for letting me know, since I had no idea 1.6.3 was released already. He shouted at me until I was on 1.6.3 so yeah, here we go. No real need to announce this, but thought I'd let people know and give Demise some credits :wink:.

-Crayo
 

George

Active Member
Joined
Mar 19, 2011
Posts
636
Reacts
0
Reputation
0
Credits
0
It's good news for Internet Explorer 9 users, since 1.6.3 fixes 3 javascript issues, related to user login, posting and deleting posts, also fixes a MySQL 5.5 issue and potential security hole with search,php

I had to update 26 MyBB forums yesterday, 15 people who paid, rest were friend's forums, took hours.
 

George

Active Member
Joined
Mar 19, 2011
Posts
636
Reacts
0
Reputation
0
Credits
0
Noreturn said:
Umm thats interesting because when they release it they said it was so much more secure then the .1 version.. Now they are saying it's unsecured. Anyways good news for all like George already said.
Click to expand...

When were they saying it's unsecure? If it was unsecure, the development team wouldn't release it. You wouldn't hear that from the MyBB team.
 

Flow'n

Active Member
Joined
Mar 19, 2011
Posts
2,779
Reacts
0
Reputation
0
Credits
0
No duh Geogre.

Crayo didn't flat out say it was unsecure but they said:
apparently there was a big security error in 1.6.2 and was exploitable
Click to expand...

So basically its unsecure but you can still use it but it's not the best when theres a better version.

Anyways back on topic.
 

George

Active Member
Joined
Mar 19, 2011
Posts
636
Reacts
0
Reputation
0
Credits
0
'Although this is not a security issue, and no SQL injection possibilities have been found, the exposure of the error should be prevented. Note that this only affects "Standard" search systems, and not "Fulltext" search systems.'

So your saying Tom Moore (A developer at MyBB) was lieing to us?
 

George

Active Member
Joined
Mar 19, 2011
Posts
636
Reacts
0
Reputation
0
Credits
0
Noreturn said:
Anyways back on topic.
Click to expand...

The topic is that we were updated to version mybb 1.6.3 no comments about how secure it is and crap like that.
Click to expand...

It would be nice if you could at least admit you were wrong and don't have a clue what your talking about.
 

Spaz

Member
Joined
Mar 19, 2011
Posts
411
Reacts
0
Reputation
0
Credits
0
Actually NoReturn is not wrong, it isn't as secure as the .3 according to demise. I don't know exactly but going on this topic and the information posted here it seems .2 isn't as secure as .3, therefore NoReturn isn't wrong in saying it's unsecure, in comparison to .3

No need to go offtopic, we moved onto .3, no need to argue about security here.
 

George

Active Member
Joined
Mar 19, 2011
Posts
636
Reacts
0
Reputation
0
Credits
0

It wasn't unsecure though, a MyBB developer knows a lot more than Demise does regarding to MyBB.
 

George

Active Member
Joined
Mar 19, 2011
Posts
636
Reacts
0
Reputation
0
Credits
0
So what does everything think of the updates to the 1.6x series so far? - Don't delete this, it's not related to security..It's discussion about the update.
 

Anxiety

User is banned.
Joined
Mar 19, 2011
Posts
3,338
Reacts
0
Reputation
0
Credits
0
I'll fix all of your comments. There was a SQL Vulnerability in 1.6.2 not in search.php. I won't reveal where it is. Mybb 1.6.3 has patched that up, and is also now compatible with MySQL 5.5.

http://blog.mybb.com/2011/04/17/mybb-1-6-3-and-1-4-16-security-update/

Read that before any of you start saying one is more secure than the other. 1.6.3 is obviously more secure than 1.6.2.
 

The Elite

Member
Joined
Apr 5, 2011
Posts
14
Reacts
0
Reputation
0
Credits
0

And I quote, "This high risk vulnerability is an SQL injection relating to xxx.php, where carefully crafting axxxxx cookie can lead a malicious user to inject SQL via the "xxxx" action."

From a developer himself.
 
You must log in or register to reply here.
Menu
Log in
Register