+--------------------------------------------------------------------------------+
| MyBB 1.6.1 - Security Update Patch File                                        |
| (c) 2010 MyBB Group.                                                           |
|                                                                                |
| This patch file fixes two medium risk security issues with 1.6.1               |
|                                                                                |
| Please follow the instructions documented to manually patch your board.        |
+--------------------------------------------------------------------------------+

===============
1. admin/modules/tools/modlog.php
===============

Find:
--
	while($logitem = $db->fetch_array($query))
	{
		$information = '';
		$logitem['dateline'] = date("jS M Y, G:i", $logitem['dateline']);
		$trow = alt_trow();
		$username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']);
--

Replace with:
--
	while($logitem = $db->fetch_array($query))
	{
		$information = '';
		$logitem['action'] = htmlspecialchars_uni($logitem['action']);
		$logitem['dateline'] = date("jS M Y, G:i", $logitem['dateline']);
		$trow = alt_trow();
		$username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']);
--

===============
2. inc/class_parser.php
===============

Remove:
--
	// Remove these completely
	$message = preg_replace("#\s*<base[^>]*>\s*#is", "", $message);
	$message = preg_replace("#\s*<meta[^>]*>\s*#is", "", $message);
--

Find:
--
	if($this->options['allow_mycode'])
	{
		// Now that we're done, if we split up any code tags, parse them and glue it all back together
		if(count($code_matches) > 0)
			{
				foreach($code_matches as $text)
				{
					// Fix up HTML inside the code tags so it is clean
					if($options['allow_html'] != 0)
					{
						$text[2] = $this->parse_html($text[2]);
					}

					if(my_strtolower($text[1]) == "code")
					{
						$code = $this->mycode_parse_code($text[2]);
					}
--

Replace with:
--
	if($this->options['allow_mycode'])
	{
		// Now that we're done, if we split up any code tags, parse them and glue it all back together
		if(count($code_matches) > 0)
			{
				foreach($code_matches as $text)
				{
					if(my_strtolower($text[1]) == "code")
					{
						$code = $this->mycode_parse_code($text[2]);
					}
--

Find:
--
	if($options['nl2br'] !== 0)
--

Replace with:
--
	// Replace meta and base tags in our post - these are > dangerous <
	if($this->options['allow_html'])
	{
		$message = preg_replace_callback("#<((m[^a])|(b[^diloru>])|(s[^aemptu>]))(\s*[^>]*)>#si", create_function(
			'$matches',
			'return htmlspecialchars($matches[0]);'
		), $message);
	}

	if($options['nl2br'] !== 0)
--

Find:
--
	"#(&\#(0*)106;|&\#(0*)74;|j)((&\#(0*)97;|&\#(0*)65;|a)(&\#(0*)118;|&\#(0*)86;|v)(&\#(0*)97;|&\#(0*)65;|a)(\s)?(&\#(0*)115;|&\#(0*)83;|s)(&\#(0*)99;|&\#(0*)67;|c)(&\#(0*)114;|&\#(0*)82;|r)(&\#(0*)105;|&\#(0*)73;|i)(&\#112;|&\#(0*)80;|p)(&\#(0*)116;|&\#(0*)84;|t)(&\#(0*)58;|\:))#i",
--

Replace with:
--
	""#(&\#(0*)106;?|&\#(0*)74;?|&\#x(0*)4a;?|&\#x(0*)6a;?|j)((&\#(0*)97;?|&\#(0*)65;?|a)(&\#(0*)118;?|&\#(0*)86;?|v)(&\#(0*)97;?|&\#(0*)65;?|a)(\s)?(&\#(0*)115;?|&\#(0*)83;?|s)(&\#(0*)99;?|&\#(0*)67;?|c)(&\#(0*)114;?|&\#(0*)82;?|r)(&\#(0*)105;?|&\#(0*)73;?|i)(&\#112;?|&\#(0*)80;?|p)(&\#(0*)116;?|&\#(0*)84;?|t)(&\#(0*)58;?|\:))#i",
--

===============
3. jscripts/validator.js
===============

Find:
--
	new Ajax.Request(options.url, {method:'post', postBody:"value=" + encodeURIComponent(value) + extra, onComplete: function(request) { this.ajaxValidateComplete(id, options, request); }.bind(this)});
--

Replace with:
--
	new Ajax.Request(options.url, {method:'post', postBody:"value=" + encodeURIComponent(value) + extra + "&my_post_key=" + my_post_key, onComplete: function(request) { this.ajaxValidateComplete(id, options, request); }.bind(this)});
--

===============
4. modcp.php
===============

There are two places to change here - each with the same code.

Find the two instances of:
--
	while($logitem = $db->fetch_array($query))
	{
		$information = '';
		$log_date = my_date($mybb->settings['dateformat'], $logitem['dateline']);
		$log_time = my_date($mybb->settings['timeformat'], $logitem['dateline']);
		$trow = alt_trow();
--

Replace each with:
--
	while($logitem = $db->fetch_array($query))
	{
		$information = '';
		$logitem['action'] = htmlspecialchars_uni($logitem['action']);
		$log_date = my_date($mybb->settings['dateformat'], $logitem['dateline']);
		$log_time = my_date($mybb->settings['timeformat'], $logitem['dateline']);
		$trow = alt_trow();
--

===============
5. xmlhttp.php
===============

Find:
--
	else if($mybb->input['action'] == "username_availability")
	{
--

Replace with:
--
	else if($mybb->input['action'] == "username_availability")
	{
		if(!verify_post_check($mybb->input['my_post_key'], true))
		{
			xmlhttp_error($lang->invalid_post_code);
		}
--

Find:
--
	$lang->username_taken = $lang->sprintf($lang->username_taken, $username);
--

Replace with:
--
	$lang->username_taken = $lang->sprintf($lang->username_taken, htmlspecialchars_uni($username));
--

Find:
--
	$lang->username_available = $lang->sprintf($lang->username_available, $username);
--

Replace with:
--
	$lang->username_available = $lang->sprintf($lang->username_available, htmlspecialchars_uni($username));
--

Find:
--
	else if($mybb->input['action'] == "username_exists")
	{
--

Replace with:
--
	else if($mybb->input['action'] == "username_exists")
	{
		if(!verify_post_check($mybb->input['my_post_key'], true))
		{
			xmlhttp_error($lang->invalid_post_code);
		}
--

Find:
--
	$lang->valid_username = $lang->sprintf($lang->valid_username, $username);
--

Replace with:
--
	$lang->valid_username = $lang->sprintf($lang->valid_username, htmlspecialchars_uni($username));
--

===============
6. inc/class_core.php
===============

Find:
--
	public $version = "1.6.1";
--

Replace with:
--
	public $version = "1.6.2";
--

Find:
--
	public $version_code = 1601;
--

Replace with:
--
	public $version_code = 1602;
--

===============
7. member.php
===============
This edit is originally from 1.6.0 -> 1.6.1 changed files. It is here to ensure the member.php
security patch is applied to your forum.

Find:
--
	// Redirect to the page where the user came from, but not if that was the login page.
	if($mybb->input['url'] && !preg_match("/action=login/i", $mybb->input['url']))
	{
		$redirect_url = htmlentities($mybb->input['url']);
	}
	elseif($_SERVER['HTTP_REFERER'])
	{
		$redirect_url = htmlentities($_SERVER['HTTP_REFERER']);
	}
--

Replace with:
--
	// Redirect to the page where the user came from, but not if that was the login page.
	if($_SERVER['HTTP_REFERER'] && strpos($_SERVER['HTTP_REFERER'], "action=login") === false)
	{
		$redirect_url = htmlentities($_SERVER['HTTP_REFERER']);
	}
	else
	{
		$redirect_url = '';
	}
--




ALL DONE