+--------------------------------------------------------------------------------+
| MyBB 1.4.14 - Security Update Patch File |
| (c) 2010 MyBB Group. |
| |
| This patch file fixes two medium risk security issues with 1.4.14 |
| |
| Please follow the instructions documented to manually patch your board. |
+--------------------------------------------------------------------------------+
===============
1. admin/modules/tools/modlog.php
===============
Find:
--
while($logitem = $db->fetch_array($query))
{
$information = '';
$logitem['dateline'] = date("jS M Y, G:i", $logitem['dateline']);
$trow = alt_trow();
$username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']);
--
Replace with:
--
while($logitem = $db->fetch_array($query))
{
$information = '';
$logitem['action'] = htmlspecialchars_uni($logitem['action']);
$logitem['dateline'] = date("jS M Y, G:i", $logitem['dateline']);
$trow = alt_trow();
$username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']);
--
===============
2. inc/class_parser.php
===============
Remove:
--
// Remove these completely
$message = preg_replace("#\s*]*>\s*#is", "", $message);
$message = preg_replace("#\s*]*>\s*#is", "", $message);
--
Find:
--
if($this->options['allow_mycode'])
{
// Now that we're done, if we split up any code tags, parse them and glue it all back together
if(count($code_matches) > 0)
{
foreach($code_matches as $text)
{
// Fix up HTML inside the code tags so it is clean
if($options['allow_html'] != 0)
{
$text[2] = $this->parse_html($text[2]);
}
if(my_strtolower($text[1]) == "code")
{
$code = $this->mycode_parse_code($text[2]);
}
--
Replace with:
--
if($this->options['allow_mycode'])
{
// Now that we're done, if we split up any code tags, parse them and glue it all back together
if(count($code_matches) > 0)
{
foreach($code_matches as $text)
{
if(my_strtolower($text[1]) == "code")
{
$code = $this->mycode_parse_code($text[2]);
}
--
Find:
--
if($options['nl2br'] !== 0)
--
Replace with:
--
// Replace meta and base tags in our post - these are > dangerous <
if($this->options['allow_html'])
{
$message = preg_replace_callback("#<((m[^a])|(b[^diloru>])|(s[^aemptu>]))(\s*[^>]*)>#si", create_function(
'$matches',
'return htmlspecialchars($matches[0]);'
), $message);
}
if($options['nl2br'] !== 0)
--
Find:
--
"#(&\#(0*)106;|&\#(0*)74;|j)((&\#(0*)97;|&\#(0*)65;|a)(&\#(0*)118;|&\#(0*)86;|v)(&\#(0*)97;|&\#(0*)65;|a)(\s)?(&\#(0*)115;|&\#(0*)83;|s)(&\#(0*)99;|&\#(0*)67;|c)(&\#(0*)114;|&\#(0*)82;|r)(&\#(0*)105;|&\#(0*)73;|i)(&\#112;|&\#(0*)80;|p)(&\#(0*)116;|&\#(0*)84;|t)(&\#(0*)58;|\:))#i",
--
Replace with:
--
"#(&\#(0*)106;?|&\#(0*)74;?|&\#x(0*)4a;?|&\#x(0*)6a;?|j)((&\#(0*)97;?|&\#(0*)65;?|a)(&\#(0*)118;?|&\#(0*)86;?|v)(&\#(0*)97;?|&\#(0*)65;?|a)(\s)?(&\#(0*)115;?|&\#(0*)83;?|s)(&\#(0*)99;?|&\#(0*)67;?|c)(&\#(0*)114;?|&\#(0*)82;?|r)(&\#(0*)105;?|&\#(0*)73;?|i)(&\#112;?|&\#(0*)80;?|p)(&\#(0*)116;?|&\#(0*)84;?|t)(&\#(0*)58;?|\:))#i",
--
===============
3. jscripts/validator.js
===============
Find:
--
new Ajax.Request(options.url, {method:'post', postBody:"value=" + encodeURIComponent(value) + extra, onComplete: function(request) { this.ajaxValidateComplete(id, options, request); }.bind(this)});
--
Replace with:
--
new Ajax.Request(options.url, {method:'post', postBody:"value=" + encodeURIComponent(value) + extra + "&my_post_key=" + my_post_key, onComplete: function(request) { this.ajaxValidateComplete(id, options, request); }.bind(this)});
--
===============
4. modcp.php
===============
There are two places to change here - each with the same code.
Find the two instances of:
--
while($logitem = $db->fetch_array($query))
{
$information = '';
$log_date = my_date($mybb->settings['dateformat'], $logitem['dateline']);
$log_time = my_date($mybb->settings['timeformat'], $logitem['dateline']);
$trow = alt_trow();
--
Replace each with:
--
while($logitem = $db->fetch_array($query))
{
$information = '';
$logitem['action'] = htmlspecialchars_uni($logitem['action']);
$log_date = my_date($mybb->settings['dateformat'], $logitem['dateline']);
$log_time = my_date($mybb->settings['timeformat'], $logitem['dateline']);
$trow = alt_trow();
--
===============
5. xmlhttp.php
===============
Find:
--
else if($mybb->input['action'] == "username_availability")
{
--
Replace with:
--
else if($mybb->input['action'] == "username_availability")
{
if(!verify_post_check($mybb->input['my_post_key'], true))
{
xmlhttp_error($lang->invalid_post_code);
}
--
Find:
--
$lang->username_taken = $lang->sprintf($lang->username_taken, $username);
--
Replace with:
--
$lang->username_taken = $lang->sprintf($lang->username_taken, htmlspecialchars_uni($username));
--
Find:
--
$lang->username_available = $lang->sprintf($lang->username_available, $username);
--
Replace with:
--
$lang->username_available = $lang->sprintf($lang->username_available, htmlspecialchars_uni($username));
--
Find:
--
else if($mybb->input['action'] == "username_exists")
{
--
Replace with:
--
else if($mybb->input['action'] == "username_exists")
{
if(!verify_post_check($mybb->input['my_post_key'], true))
{
xmlhttp_error($lang->invalid_post_code);
}
--
Find:
--
$lang->valid_username = $lang->sprintf($lang->valid_username, $username);
--
Replace with:
--
$lang->valid_username = $lang->sprintf($lang->valid_username, htmlspecialchars_uni($username));
--
===============
6. inc/class_core.php
===============
Find:
--
public $version = "1.4.14";
--
Replace with:
--
public $version = "1.4.15";
--
Find:
--
public $version_code = 1414;
--
Replace with:
--
public $version_code = 1415;
--
===============
7. member.php
===============
This edit is originally from the 1.4.14 update changed files. It is here to ensure the member.php
security patch is applied to your forum.
Find:
--
// Redirect to the page where the user came from, but not if that was the login page.
if($mybb->input['url'] && !preg_match("/action=login/i", $mybb->input['url']))
{
$redirect_url = htmlentities($mybb->input['url']);
}
elseif($_SERVER['HTTP_REFERER'])
{
$redirect_url = htmlentities($_SERVER['HTTP_REFERER']);
}
--
Replace with:
--
// Redirect to the page where the user came from, but not if that was the login page.
if($_SERVER['HTTP_REFERER'] && strpos($_SERVER['HTTP_REFERER'], "action=login") === false)
{
$redirect_url = htmlentities($_SERVER['HTTP_REFERER']);
}
else
{
$redirect_url = '';
}
--
ALL DONE