+--------------------------------------------------------------------------------+ | MyBB 1.2.14 - Security Update Patch File | | (c) 2008 MyBB Group. | | | | This patch file fixes some medium and low risk issues in MyBB 1.2.14 | | | | Please follow the instructions documented to manually patch your board. | +--------------------------------------------------------------------------------+ =============== 1. announcements.php =============== Find: -- $lang->forum_announcement = sprintf($lang->forum_announcement, $announcementarray['subject']); -- Replace with: -- $lang->forum_announcement = sprintf($lang->forum_announcement, htmlspecialchars_uni($announcementarray['subject'])); -- =============== 2. inc/functions.php =============== Find: -- function join_usergroup($uid, $joingroup) { global $db; -- Add After: -- $uid = intval($uid); -- Also Find: -- function leave_usergroup($uid, $leavegroup) { global $db, $mybb; -- Add After: -- $uid = intval($uid); -- Also Find: -- elseif(isset($_ENV['QUERY_STRING'])) { $location = "?".$_ENV['QUERY_STRING']; } } -- Add After: -- $location = htmlspecialchars_uni($location); -- Also Find: -- $addloc[] = $var.'='.$_POST[$var]; -- Replace with: -- $addloc[] = urlencode($var).'='.urlencode($_POST[$var]); -- ================ 3. inc/datahandlers/post.php ================ Find: -- $query = $db->simple_select(TABLE_PREFIX."posts", "pid", "pid='{$post['replyto']}'"); -- Replace with: -- $query = $db->simple_select(TABLE_PREFIX."posts", "pid", "pid='".intval($post['replyto'])."'"); -- =============== 4. polls.php =============== Find: -- $votesql .= "('".$poll['pid']."','".$mybb->user['uid']."','$voteoption','$now')"; -- Replace with: -- $votesql .= "('".$poll['pid']."','".$mybb->user['uid']."','".$db->escape_string($voteoption)."','$now')"; -- =============== 5. attachments.php =============== Find: -- if($ext == "txt" || $ext == "htm" || $ext == "html" || $ext == "pdf") -- Replace with: -- if(strpos(strtolower($_SERVER['HTTP_USER_AGENT']), "msie") !== false && strpos($attachment['filetype'], "image") === false) -- =============== 6. usercp.php =============== Find: -- $aids = $db->escape_string(implode(",", $mybb->input['attachments'])); -- Replace with: -- $aids = implode(',', array_map('intval', $mybb->input['attachments'])); -- ALL DONE