MyBB 1.6.1 Released

[RocketFoot]

MyBB 1.6.1 released Dec. 15th, 2010

http://blog.mybb.com/2010/12/15/mybb-1-6...http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-

I wonder if this upgrade will be rough?  My board is heavily modified with plugins as well as theme edits.  I don't have a default theme installed, I only use 1 custom theme.  Any suggestions?  Wait a while maybe?

[leefish]

Well, I always wait a couple of days before upgrading what have you, then we will see if any thing major breaks. There are security issues though so hrmmm.

[RocketFoot]

(12-17-2010 01:10 AM)leefish Wrote:  Well, I always wait a couple of days before upgrading what have you, then we will see if any thing major breaks. There are security issues though so hrmmm.

You're probably in the same boat as me...your board is heavily modified!  I dread these releases!  I run an IPB board and the same thing, every few months, another minor or major release is rolled out!

[MattR]

That's why we provide the manual patches file for the security fixes... sometimes I get the feeling people would rather just have bugs than update and have them fixed... plugins will have absolutely no impact on this upgrade, and only 3 templates need to be reverted to default if you've even made edits to them, are you saying you've edited loads of core PHP files??

[leefish]

(12-17-2010 01:33 AM)MattR Wrote:  That's why we provide the manual patches file for the security fixes... sometimes I get the feeling people would rather just have bugs than update and have them fixed... plugins will have absolutely no impact on this upgrade, and only 3 templates need to be reverted to default if you've even made edits to them, are you saying you've edited loads of core PHP files??

Hmm, no. What I WAS saying is that my usual practice of giving it a couple of days might be changed because of the security fixes.

This is why I have downloaded the manual patch and am patching before I upgrade in  couple of days.

Stop assuming stuff all the time, eh?

[MattR]

My post was aimed at RocketFoot...

[leefish]

(12-17-2010 02:23 AM)MattR Wrote:  My post was aimed at RocketFoot...

LOL - that will teach me to assume

also - Rocketfoot - you should do the security edits.

[MasterZuFu]

Due to the security issues related to this upgrade, I upgraded mine right away (I learned the hard way a few years ago and neglected up to a week before upgrading -unfortunately this was the mybb 1.4 upgrade dealing with a HUGE security vulnerability that allowed a hacker to gain admin permissions and even root mybb for a backdoor attack later-, while I was in the middle of doing my upgrade my site was hacked and I found myself and my sysadmin in the middle of a 30 minute battle trying to block the hacker and revert things to normal while he undid everything we did, it took some time but we finally outsmarted him.).

I highly suggest upgrading due to the security threats involved.

I would note that my "Trading forum" and "Training forum" had a slight mishap after the upgrade. When I made a new thread it gave me an sql error because I didn't have a default "no image" picture in the /images folder, so even uploading an image wouldn't work unless I had the /images/no_image.gif file in there. I'll post this problem in the "Trading Forum" section as well, maybe there's an update or fix for it, but it made me put the "no image" in there anyways.

[RocketFoot]

MattR, I do have some edits to php files, I'll have to look and see if mine are any of the ones mentioned in the blog.  Also, please don't take my post wrong...I appreciate the updates and security patches but i just wish that it could be easier and with less mess!  LOL.  I consider myself somewhat experienced and still have trouble but for a rookie forum master, an update could be really ugly.

[ZiNgA BuRgA]

I believe it's an XSS fix, which isn't *too* big of a hole TBH.  It's been public knowledge for a while anyway: http://dev.mybb.com/issues/1331
Worst case scenario for an XSS attack is that someone gets an admin account, however, they'll unlikely be able to get AdminCP access.

Considering that so many custom MyCodes essentially give XSS vulnerabilities, and no-one seems to notice until I point it out, I really doubt you're at much risk of an XSS based attack.
Nevertheless, it's possible I guess >_>

For people who mod files, just do a diff of your modified files against a stock 1.6.0 (WinMerge is handy) to find what you've modified.  You can even try creating a patch file and applying it to 1.6.1, though it may not work.