September 24, 2016

MyBB 1.6.5 Released To Address 3 Vulnerabilities

(LiveHacking.Com) – The MyBB community has released version 1.6.5 of its popular MyBB open source forum software. 1.6.5 addresses 3 security vulnerabilities and fixes 70 issues. The MyBB developers are classing 1.6.5 as a medium-sized security, maintenance and feature upgrade for the 1.6 series.

The security vulnerabilities fixed in 1.6.5 include:

  • An issue with an unparsed user avatar in the buddy list – reported by labrocca
  • Potential XSS vulnerability with validating usernames via AJAX – reported by Will G
  • CSRF vulnerability in ?language (see – Issue 1729)

Included in the new features of 1.6.5 are some enhancements to CAPTCHAs. 1.6.5 adds the ability to use a hidden CAPTCHA, a ‘honeypot’ field that typically only spam bots will fill in. If this field is filled in, the registration will be denied. Also the ability to choose between the MyBB CAPTCHA or reCAPTCHA has been added.

In October, MyBB discovered that a hacker had compromised the MyBB server and the 1.6.4 release was modified to contain a hidden vulnerability. To address this all future releases of MyBB (starting with this 1.6.5 release) will be downloaded directly from github. Also MD5 checksums will be published for each release to ensure that modified files are caught.

Here are the MD5 checksums for 1.6.5 are:

mybb_1605.zip: 032403cee9d25110370ace935803ab9d

1605_changedfiles.zip: 91e6055b758c0aa233503a2a7528a7b0