Author Archives: Chris Boulton

Plugin Exploits (Being reported as MyBB 1.6.5 Exploits)

Posted on by

Hello everyone,

We’d like to inform you that two security holes were found in two plugins which are very common on multiple MyBB forums out there. The affected plugins are the following:

[ SEO ] Simple Tag Cloud Plugin (Tags) by Watt
FBConnect (not available on our Mods site) by Nayar

The first was unapproved and a PM was sent to the plugin author and until the author fixes the issue it will remain unapproved on the Mods site.
The second has been updated already and the issue has been fixed. If you’re looking for the fixed version, it is available on the author’s website as well as on the MyBB community forums here.

We strongly advise you to remove the first plugin entirely from your forum and either remove the second one or install the fixed version.
We also recommend you to do the necessary searching for any data that may have been compromised.

On a side note, numerous “exploiting scripts” have been spreading throughout the internet which refer to these two vulnerabilities as if they were vulnerabilities in MyBB itself and that is not true.

Thank you,
MyBB Team

MyBB Rebranding: New Logo and Mascot

Posted on by

Early last year, we announced the development of an official mascot which would be used in a variety ways to promote MyBB and its official merchandise. After countless hours of hard work, we’re proud to unveil our lustrous new mascot.

MyBB Mascot

During the planning stages, the MyBB team heavily debated on what would best represent MyBB. After numerous ideas, we finally decided on an astronaut, because we feel it best demonstrates the following attributes of our forum software: strength, power, friendliness and dominance.

However, the astronaut is currently unnamed; but you can help change that. We will be announcing a naming competition soon, so stay tuned for the details.

MyBB Logo

Is it a bird? Is it a pig? No! It’s the MyBB logo! It’s great that our users always find new ways of describing our speech bubbles logo but it’s getting quite old and the team decided, along with our new mascot, we needed a new logo too.

We’ll be using the new mascot and logo across MyBB when we launch 2.0, but we just couldn’t wait to introduce them to you!

Lastly, none of this would have been possible without the talented work of Mike Creuzer (if you’re interested in his services you can find him over at Audentio Design). We’ve been extremely honored to work along side him the past few months to bring you these new and exciting assets to MyBB.

MyBB 1.6.5 Released – Feature Update, Security & Maintenance Release

Posted on by

MyBB 1.6.5 is now available from the MyBB website and is a feature update, security and maintenance release for the 1.6 series.

What’s added/changed in this version?

In 1.6.5, there are 3 vulnerabilities and over 70 reported issues fixed. Please be aware that not all of the existing problems have been fixed in this version.

  • Vulnerabilities:
    • Non Critical: Unparsed user avatar in the buddy list – reported by labrocca
    • Non Critical: Potential XSS vulnerability validating usernames via AJAX – reported by Will G
    • Low Risk: CSRF vulnerability in ?language – reported by Nathan Malcolm (Issue #1729)

    Thanks to everyone who helped find and resolve the issues!

  • Fixed issues in 1.6.5
  • Unfixed issues

There are also over 10 new feature updates in 1.6.5. These range from the ability to locate spam users from the ACP to reCAPTCHA support. To get a summary of these new updates and for a list of changed files and language pack changes, please see the Wiki on 1.6.5.

View 1.6.5 Changes in the Wiki

Upgrading from 1.6.4 and Other Versions

Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

If you have any plugins installed that limit signatures or provide reCAPTCHA, or might not be needed because of the new default settings available, it’s suggested to uninstall these before the upgrade. If you’re unsure, create a thread in the General Support section of the Community Forum with your plugin list and a useful member will be able to tell you the plugins that need to be disabled.

To upgrade, follow the Upgrading process. The upgrade script is required. There are also language and theme changes.

If you’re using MyBB 1.6.4

If you’re not using MyBB 1.6.4

Plugin System Changes

In 1.6.5, there are some fundamental changes to the Plugin System. These changes were made to provide greater support for PHP 5.3 and above.

These changes mean that you may need to upgrade some of the plugins you are running on your forum before upgrading to 1.6.5. If you are a Plugin Developer, you need to check your plugins to see if you are required to change them so they work with the new version.

Please see the 1.6.5 Plugin System Changes Wiki for an explanation of the changes. There is also the Plugin Changes coming in 1.6.5 thread on the Community Forums.

MyBB Merge System 1.6.2 Update

For those users who have been using Merge System 1.6.1 and earlier, there is a new update ready for you.

You can read more about it in the 1.6.2 Update Blog Post.

In the near future, the Merge System will be following the main branch of MyBB – for example, if you’re using MyBB 1.6.8 you’ll need Merge System 1.6.8. This will mean that the Merge System will jump several minor points. These changes have yet to come into effect, so please continue to use Merge System 1.6.2. We’ll announce further details nearer the time of the changes.

MyBB 1.6.4 Vulnerability

In October, we found that a 3rd party had compromised the MyBB server and the 1.6.4 release was modified to contain a hidden vulnerability. If you’re current using 1.6.4 and have had no prior knowledge of this, then we urge you to upgrade to 1.6.5 as soon as possible.

As a result of the compromise to our systems we will be hosting our download packages on github, we will continue to do this until we are confident our systems here are just as secure as what github can offer.

Here are the MD5 checksums for the release packages:

mybb_1605.zip: 032403cee9d25110370ace935803ab9d

1605_changedfiles.zip: 91e6055b758c0aa233503a2a7528a7b0

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

Some closure on the 1.6.4 Security Vulnerability

Posted on by

A little over two weeks ago we announced the discovery of a rather significant vulnerability which may have effected some users. At the time there was a lot of uncertainty regarding the circumstances, but I feel it’s time to follow up on our original announcement with what has since come to hand. I hope this will answer any outstanding questions, ease some of the concern, and most importantly I hope everyone checks their installations to make sure they are not vulnerable.

First and foremost, I can confirm that the code was malicious and the release was modified on the server by a 3rd party. Therefore, it is crucial that you follow the instructions in the previous blog post to ensure your installation is not vulnerable. The release package was obviously cleaned as soon as the alarm was raised, so if you downloaded MyBB after the first blog post then you don’t need to worry. We aren’t sure exactly when the release packages were tampered with, however if you downloaded your package shortly after the release then you may not have been effected either.

There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system. Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages. The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.

In light of these events, we are looking at making several changes. At the very least we intend to publish checksums with downloads to help identify any future releases which may have been contaminated, we are also looking into automating the verification process using a remote server. Using a CDN to distribute our packages is another option being considered.

MyBB 1.6.5 should be released in the next few weeks but until then please be sure to follow the instructions in the first blog post to secure your board.

1.6.4 Security Vulnerability

Posted on by

When 1.6.4 was announced almost 3 months ago it was one of the biggest updates MyBB has ever released. It fixed over 100 issues and brought performance improvements for MyBB forums – large or small – across the world. It was also popular for people who were new to MyBB – starting their project for the first time.

Unfortunately, the 1.6.4 release files were contaminated by code that was not meant to be there and could open a security vulnerability on your forum. It only affects those that are running 1.6.4.

We advise that you fix the problem as soon as you can. You can do so by following these instructions:

  • Download the latest release of MyBB.
  • Replace ./index.php (in the root folder of your forum) with the one in the download (./Upload/index.php).
  • Remove the ./install/ folder

OR

  • Download and follow the 1.6.4 Patch Instructions
  • If you are unable to find the affected areas, this issue does not affect you. Otherwise, remove the ./install/ folder.

If you have any problems, please report them in the General Support Forum on the Community. If you have renamed ‘index.php’, for example if you’re using the portal as your homepage, please remember to update the correct file accordingly.

We discovered the extent of this problem earlier today but with the release of MyBB 1.6.5 still being a few weeks away, forums need to be patched to protect against any vulnerabilities. We’re still investigating how our release became contaminated and if we find anything else in the mean time, we’ll be sure to let you know.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

MyBB Merge System 1.6.2

Posted on by

MyBB Merge System 1.6.2 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.6 series.

This release is to ensure that all users of MyBB Merge 1.6 have the latest fixes.

This release fixes several reported issues since the release of 1.6.1, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of for public use.

What’s fixed in this version?

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

Tim B. answers your questions

Posted on by

It’s been a while since we’ve had an interview post, so let’s kick things off again with a big one!
Our new product manager, Tim B. took time to answer some questions.

Please tell us a bit about yourself.

Well, I’m an Aussie to begin with, I’m a Software Engineering and Business student at university and I work from home.

Besides MyBB, what are some of your hobbies?

When I’m not at my computer (which is very rarely :P), I like to be on my Yamaha dirt bike, or my mountain bike (but I’m usually too lazy for that these days). Some strange hobbies also tend to gain my interest for a short period of time, for example lock picking (my own locks, don’t worry) and petrol powered remote control cars.

What made you join the MyBB staff team?

I had been a member here for quite a while before I joined the team so I had a bit of an attachment to MyBB. When a team member mentioned to me that they were looking for people to join the support team I decided that it was something I wanted to pursue because I felt it would allow my contributions to be more far reaching than I could achieve as a regular member. Upon joining I found that I enjoyed making long lasting improvements to the things that often get thrown in the too hard basket, but were nonetheless important, and so I made a number of suggestions that were adopted (and some that weren’t). I then took on a number of initiatives to improve sections of the wiki and the forum rules and soon after this Dennis announced that he had to step down due to time constraints. As I was doing a lot more behind the scenes stuff at that stage then actual support work I decided to put my name forward and eventually I was chosen to take over from Dennis, an opportunity which I am very grateful for.

The most memorable day of my life was…

Yesterday (I would say today, but it’s not over yet).

What is your dream job?

No job, I would be retired with a considerable fortune. :P That way I could pursue whatever interest I desired. On a more realistic note, I hope to one day work in the management side of the software development industry, hence why I study business along with Software Engineering.

What do you do to kill time?

I am a master of wasting time. Sometimes that is a good thing, but unfortunately usually it’s not. :P I have so many favourite time killers, facebook is an obvious one (but who doesn’t love to waste time on facebook these days), another one is a website called Moonbuggy which has random (and hilarious) pictures (if you go googling for it then be warned, it’s often NSFW). I enjoy some really simplistic games, like line rider and various other flash games, plus I occasionally get into Call of Duty and Minecraft. In terms of TV, I almost exclusively watch sitcoms, I have seen every episode of the The Office, The Big Bang Theory, Community, Parks and Recreation, Better Off Ted, 30 Rock, How I Met Your Mother, Modern Family, Outsourced, The IT Crowd, Seinfeld and Trailer Park Boys, plus a few others I probably forgot. I also have to mention that I love buying (pretty random) things off the internet, usually from Deal Extreme or eBay. For example, I have one of those clothes folders that Sheldon has in The Big Bang Theory. :P

Name an item you wish to own one day, and why.

A yellow Lamborghini Gallardo with black GT stripes, just because I’m cool like that. :P If you had have asked me a few weeks ago I would have said my new computer but I just bought that. :D

What made you initially want to learn PHP/MySQL?

I enjoy programming, it not only stimulates your mind but it produces something that can improve the lives of millions of people across the world and I think that’s pretty amazing. I never specifically made the choice to learn PHP/MySQL but through my involvement with MyBB and other things I have been a part of, learning PHP/MySQL became a necessity. I am certainly still learning, but I think that is the way for any programmer, looking back at my programming from a year ago I was a total n00b, and I’m sure I’ll think the same in another year about my programming now.

What do you have for breakfast each day?

I just eat whatever is in the fridge/pantry (left over pizza, pancakes or waffles always go down well). One of my favourite breakfast combos is Vanilla (or Chocolate) Up & Go on Weet-Bix (if you’re not Australian you probably won’t have heard of either of those two things), it sounds a bit strange but it’s awesome, trust me.

Anything else you wish to add?

I don’t think so, other than that I would like to say thanks to the team for making MyBB possible and to the community for making MyBB as successful as it is.

Get your questions answered

I’m always struggling to think of new and interesting questions, so please help me out and post what you would like answered! They can be general to all/any staff or specific to one member, either way, post them in the Questions for team members thread and I’ll ask them if appropriate. Thank you.

August 2011 – Staff changes

Posted on by

Hello MyBB fans!
So it’s been a while since the last “Staff changes” blog post! We’ve had quite a few changes recently and thought it would be a perfect time to give you all an update on our great team.

Welcome our new staff members

Please welcome Fábio Maia to the support team, more commonly known as faviouz to us all. faviouz has been a very helpful member on the community forums and has released several plugins and tutorials.
Also welcome Pirata Nervo to the development team! Pirata has been an extremely helpful member and has also developed many great plugins.

Thank staff who have moved on

Our long-time contributor Alan Crisp has left after many years on the team. A while ago he took a job as a PHP developer with skills that he learned while on the team. This very job is what has led to him resigning from the team, with little free time to continue contributing. He thanks us for all the opportunities he was given here, and we thank him for his efforts, sincerely.
We’re also sad to see Conor Calby leave, after a very helpful year on the team he has left due to time constraints as well. We hope he finds the time in the future to return.
Unfortunately one of our more recent additions to the team, thebod, also had to leave due to other commitments.

We are very thankful to anyone offering their time to MyBB and we wish those who left the very best of luck.

Applications are always open

If you would like to be a part of one of the teams we have here at MyBB (development, support, SQA), please take a look at this page for more information.

MyBB 1.6.4 Update

Posted on by

Note: you only need to read this if you upgraded to 1.6.4 before this blog post was made. If you have not upgraded yet, you will need this: https://blog.mybb.com/2011/07/26/mybb-1-6-4-released-feature-update-security-maintenance-release/

A few days ago, we released MyBB 1.6.4 – a feature update, maintenance and security release. We’ve noticed one or two problems with this, so we’ve decided to give out an immediate update.

There is no security threat to 1.6.4 – this update fixes a problem with quote tags, split posts and an issue with two templates. To apply this update, please follow these instructions:

  • As usual, backup your forum’s database and files, and switch off your forum’s front end. You may want to follow the Wiki Upgrading Procedure.
  • Download the 1.6.4 Update Files and upload them to your forum – overwriting the existing ones.
  • Delete ./install/lock and visit the upgrader – normally found at yourforum/install/upgrade.php and run the upgrader again. Choose 1.6.3 from the list of versions.

The above process won’t cause any problems with your forum – it merely updates the default templates again to 1.6.4’s versions and adds a database column missing from the original update.

You also need to check two templates – online_today and member_profile_adminoptions. Please see the attached patch file and make the changes where necessary in each of the themes you have installed.

These changes have already been made to the main download of 1.6.4 – so it you’re still waiting to upgrade, now is the time to do it!

Many apologies for the less-than-perfect quality – we’re updating our release procedures so that hopefully in the future we won’t have these problems again.

Thanks you,
MyBB Team

MyBB 1.6.4 Released – Feature Update, Security & Maintenance Release

Posted on by

MyBB 1.6.4 is now available from the MyBB website and is a feature update, security and maintenance release for the 1.6 series.

What’s added/changed in this version?

In 1.6.4, there are 2 new updates and over 100 reported issues fixed.

Please be aware that not all of the existing problems have been fixed in this version. Because of the size of the updates, these will be fixed in a later release.

The 2 new updates included in 1.6.4 are only small – one globally switches on/off plugins and the other detects whether an Administrator has renamed the Portal to check for file verifications.

Security Updates

There are also 3 security updates for 1.6.4. Overall, they are low risk vulnerabilities as they all require administrator permissions – however, one of these is classed as high risk if a user manages to get into the Admin Control Panel (ACP).

As a result of this, it is recommended that only certain types of variables are used in templates that follow the MyBB Development Standards – although other types may be used it the templates are installed to the database through your plugin, Administrators will not be able to save templates with these variables in.

Theme Artists and Plugin Developers should take a close look at the new changes to see if their work will be affected by the new changes and update them accordingly.

Performance

In 1.6.4, there are a number of performance-related updates. These range from small code changes to caching thread prefixes. More information about these are available on 1.6.4’s page in the Wiki.

Almost everyone should be able to see at least some benefits from these changes.

Upgrading from 1.6.3 and Other Versions

Due to the size of this release and due to release errors earlier in the 1.6 series, all files need to be changed. This is to ensure that you have the latest versions of the software’s files which can be hard to trace from earlier releases.

This upgrade process is the same for any version of MyBB. Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

If you have installed plugins that require changes to core files, you will need to make those changes again.

To upgrade, follow the Upgrading process. The upgrade script is required. There are also language and theme changes.

If you require support for upgrading to 1.6.4, please see the 1.6 General Support Forum.

Changes in 1.6.4

We’ve made a handy reference guide to what’s changed in 1.6.4 in the Wiki. We’ll be doing this for each version in the future too so you can see what we’re working on.

View 1.6.4 Changes in the Wiki.

MyBB Merge System 1.6.1 Update

For those users who have been using Merge System 1.6.1 and earlier, there is an important security update ready for you.

You can read more about it in the 1.6.1 Update Blog Post.

Thank you,
MyBB Team