MyBB 1.6.17
Security
This version is no longer supported
The MyBB 1.6 series reached end of life on October 1, 2015.
This means there will be no more security or maintenance releases for this series and forums running this version of MyBB may be at risk of unfixed security issues. The MyBB Group strongly encourages all communities to upgrade to the latest release of MyBB as soon as possible.
Security vulnerabilities addressed (5)
Medium risk
Reset password code check could be circumvented in member.php
Medium risk
Permissions not checked for post search with old sid in search.php
Low risk
CSRF in ACP mass mail cancellation
Low risk
Use of the U+200E Unicode character to create "duplicate" username
Low risk
Multiple XSS vulnerability requiring admin permissions
Low risk
A CSRF vulnerability within ACP login
Low risk
Cache handler using var_export without encoding checks
Changed Files (9)
- admin - modules - config - attachment_types.php - mycode.php - post_icons.php - profile_fields.php - thread_prefixes.php - forum - management.php - style - templates.php - tools - tasks.php - user - groups.php - mass_mail.php - titles.php - users.php - index.php
- inc - cachehandlers - disk.php - class_core.php - class_error.php - functions.php
- managegroup.php
- member.php
- modcp.php
- search.php
- showthread.php
- usercp.php
- xmlhttp.php