2.0 dev post #2

It’s that time again, time for another MyBB 2.0 dev blog! This post is the second in a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system. Continue reading

2.0 dev post #1

This will be the first of a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated.

Development Cycle

Being a pre-alpha, many basic functions of forum software are not yet implemented.  Right now, all development is being done in private by a subset of the development team led by Euan T.  Once we have a working software with all the basics, the alpha release will be announced and we will open up the GitHub repo and the community at large will be able to begin contributing.  Once the majority of features have been implemented a beta will be released, and after that, a gold 2.0 will be let loose!

Currently no public timeframe is on the table.  We have an internal roadmap, but we’d rather not disappoint the public if we fail to make one of our milestones.  As always it will be released when it’s ready.  That being said, from the dev blog posts you should be able to make educated guesses.

What We Have

Here’s the juicy content you’ve all been waiting for.  MyBB 2.0 is being coded in PHP, using the Laravel 5 framework and the Twig templating engine.  Various screenshots of 2.0 prototypes have been posted to MyBB’s Facebook and Twitter social media pages, revealing a long anticipated and rumored responsive theme.  “Pretty” URLs are available out of the box, taking the form “/topic/me-thread.1″, along with several other useful tools aimed at enhancing the search engine optimisation of the software such as relevant meta tags and canonical links. In addition, the new default theme makes use of semantic HTML5 elements, rather than the old and now defunct table-based layout that’s been a part of MyBB since the early days.

Here’s some screenshots of a super-secret development copy live on the Internet somewhere (don’t bother looking for it; it’s protected by HTTP auth and a rather obscure URL).

Everyone’s favorite features, /me and /slap, are live in the very first 2.0 “/me topic”.  By the way – we’ve transitioned from the old, usenet email group term of “thread” and changed the language to say “topic”, a much more modern and relevant term.

mybb21

Buttons, as you can see, are provided in SVG format by fontawesome.  Another thing you may notice is the timestamps seem to be rather archaic; have no fear, relative time and more human readable dates are on the way.

This is by no means all that has been implemented so far, but as we plan on having regular dev posts we’ll save some for a later date!

We as a team are very excited by the prospects of MyBB 2.0 and are looking forward to a very exciting future. We hope that you too can share in this excitement with us and keep making MyBB great.

Transparency on the hijacking of our Twitter account and 2.0 leaks

Recently our Twitter account was compromised and there have been questions in the community about what happened.  We’d like to take some time for a short explanation of what happened.

On January 27th, a MyBB group team member’s account was compromised, as well as his personal website.  We had unfortunately been storing out Twitter account password in plaintext in a thread.  The attacker found the password and changed the email & password of the @MyBB twitter account and began to post offensive messages.  IPs of staff members were also released during this time, as well as installation statistics.  Within two hours, we had isolated the breach and banned the staff member’s account to prevent any further purusing of private data.  The staff member in question does not have access the the Admin Control Panel, so no private user data was accessible.  We have no reason to believe any other information was accessed.  The staff member is currently on a leave of absence related to personal issues not related to MyBB.

We immediately contacted Twitter and Chris talked to a former co-worker who works at Twitter to escalate the ticket. The hacker’s access to the account was locked, and Twitter began to investigate our claim to the account.  The issue was quickly sorted and we regained access.

There was also recently a thread posted on TheAdminZone with screenshots of the 2.0 GitHub repository.  The poster claimed to be selling the 2.0 source code.  The code the user had was simple the initial commit of Laravel into the repository, none of the actual 2.0 code was present. As for seeing some of that 2.0 code, watch the blog over the next few days!

At MyBB we have a strong commitment to security.  All staff with ACP access use a secret PIN, a form of 2FA.  We release patches to any serious issues usually within hours of them being reported.  We have Two Factor Authentication enabled on our staff email accounts and Github, and are actively working on getting 2FA for our other development tools.  Security is a process, as former staff member Nathan Malcolm, now of @sintheticlabs, says.  We continue to improve our processes and incorporate more secure policies and features.

StefanT to take over as project manager

I am pleased to announce that StefanT will soon be taking over from me as project manager.

MyBB has been an exciting 7 year journey for me and I’ve witnessed an enormous amount of progress during my time. The project is still of great significance to me, however I have recently been unable to dedicate the time it deserves, largely due to several great opportunities that have consumed most of my attention for the last two years. Therefore I have made the tough decision to retire from the project and hand over the reigns to someone fresh and motivated.

A ballot was conducted among the team members to decide my successor. Nominations were open to all team members and Stefan was the successful candidate. I am very confident that the project will be in safe hands under Stefan’s leadership given the excellent job he has done steering development efforts over the past year.

I am also very excited to see what the future holds for MyBB. I hope my retirement will allow some of the newer team members to take greater ownership over the project and help take MyBB to new heights. In particular I’m pleased by the work towards 2.0 which has begun recently and I hope the team will be able to share more about that with you soon.

I’d like to thank the community for their support of the project, and the team who I have greatly enjoyed collaborating with over the years.

Regards, Tim B.

MyBB 1.8.4 Released – Feature Update, Security & Maintenance Release

MyBB 1.8.4 – Feature Update, Security & Maintenance Release

MyBB 1.8.4 is now available from the MyBB website and is a feature update, security and maintenance release.

What’s added/changed in this version?

This release fixes 7 vulnerabilities and 118 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

Please view the 1.8.4 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.3 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files. 54 templates have been changed or added.

If you’re using MyBB 1.8.2 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated package for 1.8.4

Due to a minor issue with the original packages an updated package set has been released.

If you installed or updated your forums using either the full or changed files packages prior to 10:00 a.m. on February 16, 2015 GMT please download a fresh package from the links above and replace the following file:

moderation.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

Merge System 1.8.4

MyBB Merge System 1.8.4 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release fixes a compatibility issue with MyBB 1.8.4.

Attack against the community forums prior to 1.8.3 release

The recent 1.8.3 release fixes a high risk SQL injection vulnerability, it is critically important that users upgrade as soon as possible to ensure their systems are safe.

Unfortunately, we wish to inform users that this vulnerability was used against the community forums in the days before it was discovered and patched by our team. The attack was successful in accessing our database, however our logs indicate that only a very small portion of the database was obtained. While we know the size of what was downloaded, we have no way of knowing what data it contained and therefore we cannot rule out that the attacker downloaded a small portion of the users table. The attacker also had access to the ACP for a short period.

In light of this we recommend all community forum users take appropriate precautions on the assumption that their account was accessed. This includes changing your password and monitoring your account for any suspicious activity.

Our understanding is that the attacker used the SQL injection to reset Chris’ community forum password by retrieving the confirmation code, then discover the ACP directory name by searching PMs sent between team members. They were then able to edit the log settings in the ACP to write to a publicly accessible location and create a back-door script on the file-system. Upon discovering the attack we immediately took steps to prevent further access, and we are now confident that the system is secure having searched for any additional back-doors. We have also changed our ACP directory, adopted the new ACP PIN functionality added in 1.8, and used an isolated communication channel to distribute these new details to team members.

We’d like to reiterate that users running the latest version of MyBB are already secured against the vulnerabilities used to gain access to the ACP, and we’ll be using information learned from this attack to further improve security within the ACP in future releases.

Regards,

The MyBB Team.

MyBB 1.8.3 & 1.6.16 Released – Security Releases

MyBB 1.8.3

MyBB 1.8.3 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 3 low risk vulnerabilities. We recommend everyone upgrades to this release immediately.

What’s added/changed in this version?

The vulnerabilities are:

  • High Risk: A SQL injection vulnerability in theme selection (reported by StefanT)
  • Medium Risk: A XSS vulnerability in calender.php (reported by -Acid)
  • Medium Risk: A XSS vulnerability in MyCode editor (reported by My-BB.Ir)
  • Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
  • Low Risk: unserialize may call PHP magic methods (reported by chtg)
  • Low Risk: PHP setting request_order can break register globals handling (reported by chtg)

Additionally we’ve fixed an issue with the video MyCode introduced with MyBB 1.8.2 (#1625) and revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622). We also plan to add enhanced options to protect the Admin CP like two factor authentication with one of the next maintenance releases.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.8.2 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.8.1 or lower

  • Download and use the full 1.8.3 Release Package (MD5: 1f5d1246da4174f3b29799eca435d86c)
  • Follow the Docs Upgrading Instructions

MyBB 1.6.16

MyBB 1.6.16 is now available from the MyBB website. It fixes 5 low risk vulnerabilities.

What’s added/changed in this version?

The vulnerabilities are:

  • Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
  • Low Risk: A XSS vulnerability in admin/modules/style/templates.php
  • Low Risk: A XSS vulnerability in admin/modules/config/languages.php
  • Low Risk: unserialize may call magic methods (reported by chtg)
  • Low Risk: request_order can break register globals handling (reported by chtg)

Additionally we’ve revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622).

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.15 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.6.14 or lower

  • Download and use the full 1.6.16 Release Package (MD5: 98e84e5de337843f407a4b58d70253c9)
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated package for 1.6.16

Due to a minor issue with the original packages an updated package set has been released.

If you installed or updated your forums using either the full or changed files packages prior to 18:00 p.m. on November 20, 2014 GMT please download a fresh package from the links above and replace the following file:

admin/modules/home/version_check.php
calendar.php (reverted to previous version)

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

[UPDATED – IMPORTANT] GitHub Account Compromised

UPDATE: Updated the page in which you should check for suspicious activity. It should be the Admin Logs page, not the Database Backups. You should also rebuild the cache (if you’re on 1.8) for ‘update_check’.

 

Hello,

Yesterday, 14th of November, my (Pirata Nervo) GitHub account was compromised. By taking advantage of that, the attacker made a commit to our GH pages, more specifically one which is retrieved by the MyBB software in order to process version checks. Unfortunately, the attack allowed the attacker to setup Database backups of any MyBB forum, without exception, via JavaScript.

In order for you to know if you were attacked, you must have accessed the Admin CP of your forum from 14th November 23:00 GMT to 15th November 15:30 GMT. If you accessed your AdminCP during this timespan, it is likely that you were attacked. Note that if you’re on 1.8, the version check task may have been executed during this period, which may still allow the attack if you login after this period.

To be sure about it, please log on to your AdminCP now and check your Database Backup Logs from ACP -> Tools & Maintenance -> Administrator Logs. If there is at least one log for a database backup made between that time span mentioned above, you were affected. We strongly recommend you to alert your users about it so they can change their passwords.

 

What you have to do: (in case you were attacked)

  • Alert your users to change password.
  • Change your password.
  • Clear your cookies.
  • ACP -> Tools & Maintenance -> Cache Manager -> Rebuild Cache for ‘update_check’.

 

I’ve already enabled 2 Factor Authentication on my GitHub account and changed my password. I deeply apologize for this event for it was never my intention to cause any harm to anyone but it should be my responsibility to keep my account as secure as possible.

 

My apologies,

Pirata Nervo

MyBB 1.8.2 Released – Security Release

MyBB 1.8.2 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 2 low risk vulnerabilities. We recommend everyone upgrades to this release immediately.
MyBB 1.6.15 is not affected by these vulnerabilities.

What’s added/changed in this version?

The vulnerabilities are:

  • High Risk: A SQL injection vulnerability in member.php
  • Medium Risk: A XSS vulnerability in report.php
  • Medium Risk: A XSS vulnerability in inc/class_parser.php
  • Low Risk: A XSS vulnerability in admin/modules/style/templates.php
  • Low Risk: A XSS vulnerability in admin/modules/config/languages.php

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.8.1 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.8.0 or lower

  • Download and use the full 1.8.2 Release Package (MD5: 4f6e49b7a457b72dbe8fb47ae5ded430)
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team