2.0 Dev Post #5

It’s that time again, time for another MyBB 2.0 dev blog! This post is the fifth in a series of development update posts regarding MyBB 2.0. Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software. We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system.

Note that all screenshots and details contained within these posts are subject to change and is taken from early developmental software; details are in no way indicative of the features or presentation of the final software. Continue reading

2.0 dev post #4

It’s that time again, time for another MyBB 2.0 dev blog! This post is the fourth in a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system.

This month has been slightly slower than most due to many of our team members being busy finishing up university courses, exams and more. However, we’ve still managed to work away on new features and plan out new features. In this post, we will review some of the exciting new features and some of the plans we have for the future of 2.0. Continue reading

2.0 dev post #3

It’s that time again, time for another MyBB 2.0 dev blog! This post is the third in a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system.

Continue reading

MyBB 1.8.5, 1.6.17 & Merge System 1.8.5 Release

MyBB 1.8.5 – Security & Maintenance Release

MyBB 1.8.5 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 6 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh
    • Medium Risk: Sender email could be spoofed when sending an email to a user in member.php – reported by onlinedevelopers
    • Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655
    • Medium Risk: XSS in quick edit function of xmlhttp.php – reported by TiberiusG
    • Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666
    • Low Risk: Use of the U+200E Unicode character to create “duplicate” username – reported by mahdy2021

Please view the 1.8.5 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.4 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 12 language files and 9 templates were changed or added.

If you’re using MyBB 1.8.4:

If you’re using MyBB 1.8.3 or lower:

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB 1.6.17 – Security Release

MyBB 1.6.17 is now available from the MyBB website. It fixes 2 medium risk and 5 low risk vulnerabilities.

Please note that MyBB 1.6 is approaching its end of life and no support will be provided after 1st of September 2015 (see the EOL announcement).

What’s added/changed in this version?

The vulnerabilities are:

  • Medium Risk: Reset password code check could be circumvented in member.php – reported by solati.sadegh
  • Medium Risk: Permissions not checked for post search with old sid in search.php – reported by pedder55655
  • Low Risk: CSRF in ACP mass mail cancellation – reported by Destroy666
  • Low Risk: Use of the U+200E Unicode character to create “duplicate” username – reported by mahdy2021
  • Low Risk: Multiple XSS vulnerability requiring admin permissions – reported by adamziaja, Devilshakerz, DingjieYang and sroesemann
  • Low Risk: A CSRF vulnerability within ACP login – reported by Devilshakerz
  • Low Risk: Cache handler using var_export without encoding checks – reported by chtg

Please view the 1.6.17 changes on the Docs site for more information about the changes in this version.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.16 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.6.16:

If you’re using MyBB 1.6.15 or lower

  • Download and use the full 1.6.17 Release Package (MD5: b9dd9e8cd9c6390626f850bb83cb03cb)
  • Follow the Docs Upgrading Instructions

MyBB Merge System 1.8.5

MyBB Merge System 1.8.5 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.4, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 26 bug fixes (View all)
    • Including several changes to the private message modules, forum permissions, the usergroup module and attachments
    • Support for phpBB 3.1
    • Support for IPB 4

Note about the loginconvert Plugin

The official loginconvert plugin was also updated to version 1.4.1, including fixes for password resets and special passwords. If you’ve run a merge in the past please update your plugin. Also the plugin was added to our mods site.

Thanks,

MyBB Team

MyBB 1.6 End of Life Announcement

MyBB 1.8 was released almost 9 months ago (September 1st, 2014 for those keeping track) and has since proven to be stable. Therefore we will be concluding maintenance and support for the MyBB 1.6 series, and we encourage everyone who has not already done so to upgrade to MyBB 1.8 as soon as possible.

The end of life date for MyBB 1.6 will be the 1st of September, 2015.

After this date:

  • We will not be offering official support for MyBB 1.6.
  • There will be no further maintenance or security releases for the 1.6 series.
  • The 1.6 support forums will be closed and archived.

If you require information on how to upgrade please consult our upgrade instructions, if you need further support please visit the support forums.

Change of license for MyBB 2.0

MyBB has historically used the Lesser GNU Public License Version 3 (LGPL3) for the MyBB 1.8 series, and the GNU Public License Version 3 (GPL3) in earlier releases.

Both of these licenses are open source licenses, though both have a fair few limitations. The basic limitations of these licenses are best described by TLDRLegal.

For MyBB 2.0, we decided that we wanted to follow a much more clear and simple licensing model. Several licenses were considered, including the extremely open MIT license. In the end, it was decided that both MyBB 2.0 and all of the associated libraries will be released under the BSD 3 Clause (BSD-3) license, which reads as follows:

Copyright (c) 2015, MyBB Group
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This license is much simpler than previous licenses, and has the following basic limitations:

  • You cannot use the MyBB Group trademark or the names, trademarks or logos of any of the project’s contributors.
  • The MyBB Group cannot be held liable for any damages caused by the software.
  • The original copyright must be retained.

This change shouldn’t mean much to many of our average users, and will require no changes in many cases. If you do have any concerns about any legal impact this may have upon you or your sites, please do open a thread in our Private Inquiries forum though we do not claim to be legal experts and a legal professional should be consulted if you have any real concerns.

We hope that this license change will make life a lot easier for users of both the MyBB software and our libraries.

2.0 dev post #2

It’s that time again, time for another MyBB 2.0 dev blog! This post is the second in a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system. Continue reading

Transparency on the hijacking of our Twitter account and 2.0 leaks

Recently our Twitter account was compromised and there have been questions in the community about what happened.  We’d like to take some time for a short explanation of what happened.

On January 27th, a MyBB group team member’s account was compromised, as well as his personal website.  We had unfortunately been storing out Twitter account password in plaintext in a thread.  The attacker found the password and changed the email & password of the @MyBB twitter account and began to post offensive messages.  IPs of staff members were also released during this time, as well as installation statistics.  Within two hours, we had isolated the breach and banned the staff member’s account to prevent any further purusing of private data.  The staff member in question does not have access the the Admin Control Panel, so no private user data was accessible.  We have no reason to believe any other information was accessed.  The staff member is currently on a leave of absence related to personal issues not related to MyBB.

We immediately contacted Twitter and Chris talked to a former co-worker who works at Twitter to escalate the ticket. The hacker’s access to the account was locked, and Twitter began to investigate our claim to the account.  The issue was quickly sorted and we regained access.

There was also recently a thread posted on TheAdminZone with screenshots of the 2.0 GitHub repository.  The poster claimed to be selling the 2.0 source code.  The code the user had was simple the initial commit of Laravel into the repository, none of the actual 2.0 code was present. As for seeing some of that 2.0 code, watch the blog over the next few days!

At MyBB we have a strong commitment to security.  All staff with ACP access use a secret PIN, a form of 2FA.  We release patches to any serious issues usually within hours of them being reported.  We have Two Factor Authentication enabled on our staff email accounts and Github, and are actively working on getting 2FA for our other development tools.  Security is a process, as former staff member Nathan Malcolm, now of @sintheticlabs, says.  We continue to improve our processes and incorporate more secure policies and features.