Security Update

[Kylin]

The site has just undergone a security update. As a result, several core files were overwritten and some minor things may not be working properly. I think I fixed most of them. If another issue arises, please report it here. Thanks.

 

Security update solved the following:

 

Vulnerabilities dealt with:

• High Risk: Authorization bypass vulnerability within the PM system
  
• Medium Risk: Accounts without login keys could be hijacked
  
• Low Risk: Weakness within the generate_post_check() function
  
• Low Risk: Anonymous statistics may not always be anonymous
  
• Low Risk: Database backups are exposed in logs
  

 

Bugs dealt with:

 

Bug #956: Quote tags don't work if username contains a ]

Bug #1443: View thread notes - PgSQL

Bug #1483: Large attachments, greater than PHP memory limit, fail

Bug #1515: Attachement in first post lost after merging posts below

Bug #1611: '&' in RSS feed titles

Bug #1702: canonlyviewownthreads Permission Bug

Bug #1733: GeoIP encoding problem

Bug #1846: SMTP TLS

Bug #1847: memcache sockets

Bug #1871: Mod CP user search Post Count column alignment

Bug #1877: Forum Jump doesn't obey SEF urls setting

Bug #1879: Thread drafts don't remember prefixes

Bug #1927: User merge - Source account avatar left on server

Bug #2002: User merge warning logs error

Bug #2003: When replying to a subject that is at max character limit, you will get an error.

Bug #2008: Google-Mobile useragent not detected

Bug #2019: function affected_rows in db_pgsql.php calls pg_affected_rows with the wrong parameter

Bug #2023: Maximum Videos per Post setting not working

Bug #2059: Post Tools won't show up until a Thread Tool exists

Bug #2070: Pending group join requests are effectively numUsersInGroup * JoinRequests

Bug #2095: User(s) browsing this thread not appearing on quote link

Bug #2103: Mark forum read doesn't work with PostgreSQL

Bug #2110: Writing limit in a post triggers PostgreSQL replacement

Bug #2122: COPPA invalid date of birth

Bug #2124: Tracking Logic Wrong

Bug #2125: Admin CP Viewing Warning wrong link

Bug #2134: AdmincP Bug

Bug #2142: PM Advanced Search Sort Order

Bug #2151: Saving CSS changes in Simple Editor breaks @media queries

Bug #2156: Attachment count wrong when unapproving attachments

Bug #2157: Last user user-name for threads and forums is not updated upon modifying user-names or merging users.

Bug #2158: Users can give reputation for any post.

Bug #2162: Threadlist can contain a thread without name, id etc.

Bug #2163: Linking to non existent post does not show typical error page

Bug #2165: sendthread.php throws sql error with postgres

Bug #2166: calling newreply with no tid does not show the correct error page

Bug #2167: Calling polls.php with invalid pid shows sql error instead of correct error page

Bug #2168: Postgres errors in search.php and useless order by clause

Bug #2175: Displaying the latest new user does not always work

Bug #2177: update_pm_count() can throw sql error in Postgres

Bug #2179: Set value for MYBB_ROOT

Bug #2182: Apostrophe in DB password causes PHP error

Bug #2184: SID not checked in admin/modules/templates.php

Bug #2188: Reputation Sync Not Accounting For NULL Values

Bug #2192: Attachments still downloadable if thread unapproved

Bug #2193: Thread Subsciptions "not subscribed to any threads" with &page=

Bug #2204: Login Page - maxlength for username/email field too short

Bug #2205: enablereputation setting problem

Bug #2206: Strange/missing permission checks in editpost and newreply

Bug #2211: Splitting a thread at the same time can create threads without posts

Bug #2213: forumbit_depth1_forum doesn't exist

Bug #2215: Double defined $cache on upgrade

Bug #2216: "Templates Requiring Additional Calls" will always show

Bug #2227: editor.js error causing misalignment in Office 2007 editor theme.

Bug #2229: member.php Away Date Bug

Bug #2234: 'Language fallback to english' option fails when language 'area' is 'admin'

Bug #2235: PostgreSQL error on quick reply

Bug #2241: Replacing preg_replace e modifier PHP 5.5

Bug #2245: Language tweak in installer

Bug #2246: Logout link broken on "Access Denied" pages

Bug #2248: Installer: Update "Subscribe to Mailing List" link

Bug #2249: sessions unnecessarily being deleted and created on every request

Bug #2250: Admin Log errors

Bug #2254: Adding attachment to an existing draft creates a new draft

Bug #2270: Minor Typo / Consistency Issue in showthread.php

Feature #1853: Allow login via email and/or username with settings in the ACP