MyBB 1.6 End of Life Announcement

MyBB 1.8 was released almost 9 months ago (September 1st, 2014 for those keeping track) and has since proven to be stable. Therefore we will be concluding maintenance and support for the MyBB 1.6 series, and we encourage everyone who has not already done so to upgrade to MyBB 1.8 as soon as possible.

The end of life date for MyBB 1.6 will be the 1st of September, 2015.

After this date:

  • We will not be offering official support for MyBB 1.6.
  • There will be no further maintenance or security releases for the 1.6 series.
  • The 1.6 support forums will be closed and archived.

If you require information on how to upgrade please consult our upgrade instructions, if you need further support please visit the support forums.

Change of license for MyBB 2.0

MyBB has historically used the Lesser GNU Public License Version 3 (LGPL3) for the MyBB 1.8 series, and the GNU Public License Version 3 (GPL3) in earlier releases.

Both of these licenses are open source licenses, though both have a fair few limitations. The basic limitations of these licenses are best described by TLDRLegal.

For MyBB 2.0, we decided that we wanted to follow a much more clear and simple licensing model. Several licenses were considered, including the extremely open MIT license. In the end, it was decided that both MyBB 2.0 and all of the associated libraries will be released under the BSD 3 Clause (BSD-3) license, which reads as follows:

Copyright (c) 2015, MyBB Group
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This license is much simpler than previous licenses, and has the following basic limitations:

  • You cannot use the MyBB Group trademark or the names, trademarks or logos of any of the project’s contributors.
  • The MyBB Group cannot be held liable for any damages caused by the software.
  • The original copyright must be retained.

This change shouldn’t mean much to many of our average users, and will require no changes in many cases. If you do have any concerns about any legal impact this may have upon you or your sites, please do open a thread in our Private Inquiries forum though we do not claim to be legal experts and a legal professional should be consulted if you have any real concerns.

We hope that this license change will make life a lot easier for users of both the MyBB software and our libraries.

2.0 dev post #2

It’s that time again, time for another MyBB 2.0 dev blog! This post is the second in a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system. Continue reading

2.0 dev post #1

This will be the first of a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated.

Development Cycle

Being a pre-alpha, many basic functions of forum software are not yet implemented.  Right now, all development is being done in private by a subset of the development team led by Euan T.  Once we have a working software with all the basics, the alpha release will be announced and we will open up the GitHub repo and the community at large will be able to begin contributing.  Once the majority of features have been implemented a beta will be released, and after that, a gold 2.0 will be let loose!

Currently no public timeframe is on the table.  We have an internal roadmap, but we’d rather not disappoint the public if we fail to make one of our milestones.  As always it will be released when it’s ready.  That being said, from the dev blog posts you should be able to make educated guesses.

What We Have

Here’s the juicy content you’ve all been waiting for.  MyBB 2.0 is being coded in PHP, using the Laravel 5 framework and the Twig templating engine.  Various screenshots of 2.0 prototypes have been posted to MyBB’s Facebook and Twitter social media pages, revealing a long anticipated and rumored responsive theme.  “Pretty” URLs are available out of the box, taking the form “/topic/me-thread.1″, along with several other useful tools aimed at enhancing the search engine optimisation of the software such as relevant meta tags and canonical links. In addition, the new default theme makes use of semantic HTML5 elements, rather than the old and now defunct table-based layout that’s been a part of MyBB since the early days.

Here’s some screenshots of a super-secret development copy live on the Internet somewhere (don’t bother looking for it; it’s protected by HTTP auth and a rather obscure URL).

Everyone’s favorite features, /me and /slap, are live in the very first 2.0 “/me topic”.  By the way – we’ve transitioned from the old, usenet email group term of “thread” and changed the language to say “topic”, a much more modern and relevant term.

mybb21

Buttons, as you can see, are provided in SVG format by fontawesome.  Another thing you may notice is the timestamps seem to be rather archaic; have no fear, relative time and more human readable dates are on the way.

This is by no means all that has been implemented so far, but as we plan on having regular dev posts we’ll save some for a later date!

We as a team are very excited by the prospects of MyBB 2.0 and are looking forward to a very exciting future. We hope that you too can share in this excitement with us and keep making MyBB great.

Transparency on the hijacking of our Twitter account and 2.0 leaks

Recently our Twitter account was compromised and there have been questions in the community about what happened.  We’d like to take some time for a short explanation of what happened.

On January 27th, a MyBB group team member’s account was compromised, as well as his personal website.  We had unfortunately been storing out Twitter account password in plaintext in a thread.  The attacker found the password and changed the email & password of the @MyBB twitter account and began to post offensive messages.  IPs of staff members were also released during this time, as well as installation statistics.  Within two hours, we had isolated the breach and banned the staff member’s account to prevent any further purusing of private data.  The staff member in question does not have access the the Admin Control Panel, so no private user data was accessible.  We have no reason to believe any other information was accessed.  The staff member is currently on a leave of absence related to personal issues not related to MyBB.

We immediately contacted Twitter and Chris talked to a former co-worker who works at Twitter to escalate the ticket. The hacker’s access to the account was locked, and Twitter began to investigate our claim to the account.  The issue was quickly sorted and we regained access.

There was also recently a thread posted on TheAdminZone with screenshots of the 2.0 GitHub repository.  The poster claimed to be selling the 2.0 source code.  The code the user had was simple the initial commit of Laravel into the repository, none of the actual 2.0 code was present. As for seeing some of that 2.0 code, watch the blog over the next few days!

At MyBB we have a strong commitment to security.  All staff with ACP access use a secret PIN, a form of 2FA.  We release patches to any serious issues usually within hours of them being reported.  We have Two Factor Authentication enabled on our staff email accounts and Github, and are actively working on getting 2FA for our other development tools.  Security is a process, as former staff member Nathan Malcolm, now of @sintheticlabs, says.  We continue to improve our processes and incorporate more secure policies and features.

StefanT to take over as project manager

I am pleased to announce that StefanT will soon be taking over from me as project manager.

MyBB has been an exciting 7 year journey for me and I’ve witnessed an enormous amount of progress during my time. The project is still of great significance to me, however I have recently been unable to dedicate the time it deserves, largely due to several great opportunities that have consumed most of my attention for the last two years. Therefore I have made the tough decision to retire from the project and hand over the reigns to someone fresh and motivated.

A ballot was conducted among the team members to decide my successor. Nominations were open to all team members and Stefan was the successful candidate. I am very confident that the project will be in safe hands under Stefan’s leadership given the excellent job he has done steering development efforts over the past year.

I am also very excited to see what the future holds for MyBB. I hope my retirement will allow some of the newer team members to take greater ownership over the project and help take MyBB to new heights. In particular I’m pleased by the work towards 2.0 which has begun recently and I hope the team will be able to share more about that with you soon.

I’d like to thank the community for their support of the project, and the team who I have greatly enjoyed collaborating with over the years.

Regards, Tim B.

MyBB 1.8.4 Released – Feature Update, Security & Maintenance Release

MyBB 1.8.4 – Feature Update, Security & Maintenance Release

MyBB 1.8.4 is now available from the MyBB website and is a feature update, security and maintenance release.

What’s added/changed in this version?

This release fixes 7 vulnerabilities and 118 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

Please view the 1.8.4 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.3 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files. 54 templates have been changed or added.

If you’re using MyBB 1.8.2 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated package for 1.8.4

Due to a minor issue with the original packages an updated package set has been released.

If you installed or updated your forums using either the full or changed files packages prior to 10:00 a.m. on February 16, 2015 GMT please download a fresh package from the links above and replace the following file:

moderation.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

Merge System 1.8.4

MyBB Merge System 1.8.4 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release fixes a compatibility issue with MyBB 1.8.4.

Attack against the community forums prior to 1.8.3 release

The recent 1.8.3 release fixes a high risk SQL injection vulnerability, it is critically important that users upgrade as soon as possible to ensure their systems are safe.

Unfortunately, we wish to inform users that this vulnerability was used against the community forums in the days before it was discovered and patched by our team. The attack was successful in accessing our database, however our logs indicate that only a very small portion of the database was obtained. While we know the size of what was downloaded, we have no way of knowing what data it contained and therefore we cannot rule out that the attacker downloaded a small portion of the users table. The attacker also had access to the ACP for a short period.

In light of this we recommend all community forum users take appropriate precautions on the assumption that their account was accessed. This includes changing your password and monitoring your account for any suspicious activity.

Our understanding is that the attacker used the SQL injection to reset Chris’ community forum password by retrieving the confirmation code, then discover the ACP directory name by searching PMs sent between team members. They were then able to edit the log settings in the ACP to write to a publicly accessible location and create a back-door script on the file-system. Upon discovering the attack we immediately took steps to prevent further access, and we are now confident that the system is secure having searched for any additional back-doors. We have also changed our ACP directory, adopted the new ACP PIN functionality added in 1.8, and used an isolated communication channel to distribute these new details to team members.

We’d like to reiterate that users running the latest version of MyBB are already secured against the vulnerabilities used to gain access to the ACP, and we’ll be using information learned from this attack to further improve security within the ACP in future releases.

Regards,

The MyBB Team.

MyBB 1.8.3 & 1.6.16 Released – Security Releases

MyBB 1.8.3

MyBB 1.8.3 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 3 low risk vulnerabilities. We recommend everyone upgrades to this release immediately.

What’s added/changed in this version?

The vulnerabilities are:

  • High Risk: A SQL injection vulnerability in theme selection (reported by StefanT)
  • Medium Risk: A XSS vulnerability in calender.php (reported by -Acid)
  • Medium Risk: A XSS vulnerability in MyCode editor (reported by My-BB.Ir)
  • Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
  • Low Risk: unserialize may call PHP magic methods (reported by chtg)
  • Low Risk: PHP setting request_order can break register globals handling (reported by chtg)

Additionally we’ve fixed an issue with the video MyCode introduced with MyBB 1.8.2 (#1625) and revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622). We also plan to add enhanced options to protect the Admin CP like two factor authentication with one of the next maintenance releases.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.8.2 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.8.1 or lower

  • Download and use the full 1.8.3 Release Package (MD5: 1f5d1246da4174f3b29799eca435d86c)
  • Follow the Docs Upgrading Instructions

MyBB 1.6.16

MyBB 1.6.16 is now available from the MyBB website. It fixes 5 low risk vulnerabilities.

What’s added/changed in this version?

The vulnerabilities are:

  • Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
  • Low Risk: A XSS vulnerability in admin/modules/style/templates.php
  • Low Risk: A XSS vulnerability in admin/modules/config/languages.php
  • Low Risk: unserialize may call magic methods (reported by chtg)
  • Low Risk: request_order can break register globals handling (reported by chtg)

Additionally we’ve revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622).

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.15 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.6.14 or lower

  • Download and use the full 1.6.16 Release Package (MD5: 98e84e5de337843f407a4b58d70253c9)
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated package for 1.6.16

Due to a minor issue with the original packages an updated package set has been released.

If you installed or updated your forums using either the full or changed files packages prior to 18:00 p.m. on November 20, 2014 GMT please download a fresh package from the links above and replace the following file:

admin/modules/home/version_check.php
calendar.php (reverted to previous version)

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.