MyBB 1.8.13 Released — Security & Maintenance Release

MyBB 1.8.13 is now available, and is a security & maintenance release.

This update includes fixes related to compatibility with PostgreSQL, SQLite and PHP 7.2 and resolves attachment HTML output problems. Note that the theme’s CSS files may need to be updated. Please see this post on the community forum for more information.

  • 7 security vulnerabilities addressed:
    • High risk: Installer RCE on configuration file write — reported by pabstersac
    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Medium risk: Installer XSS — reported by pabstersac
    • Medium risk: Mod CP Edit Profile XSS — reported by Julian Rittweger
    • Low risk: Insufficient moderator permission check in delayed moderation tools — reported by Starpaul20 of MyBB Team
    • Low risk: Announcements HTML filter bypass
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 62 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

 

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.

If you would like to contribute to the Project, Get Involved.

Thanks,

MyBB Team

A Fresh Perspective

Blog header image

MyBB has been making some changes lately, and if you haven’t noticed we’re here to give you the scoop. Discussion about bridging 1.x closer to 2.0 has been settling, and as such we have decided on the best course of action moving forward. This comes with some other updates, including the main site going responsive, our blog getting way more fun, setting up an official demo site, and speeding up that darn extension approval process.

MyBB.com

If you’ve browsed our site lately on mobile, you may have noticed that it can be a real pain to navigate. We believe it is time to change that. Rather than awaiting MyBB 2 to bring our website into the modern age, you can expect it to be updated very soon. The new site will feature a few things:

  • Modern Design – We are making sure to get the site up to modern design standards.
  • Fully Responsive – This is part of a larger goal to get all MyBB products responsive, we’re starting with the main site.
  • SEO – Finding pages on MyBB should be a much better experience through search engines.

If you have some time and want to leave some feedback, or if you just want to look at the new design, please visit the thread or repository linked below. Thanks!

New MyBB responsive design New MyBB responsive design repository

Blog

Our blog will be getting some love as well. We’re now creating our blog posts via a repository on GitHub, so you can help (Or just get a sneak peek at what the next blog will be about). If you have an idea for a blog post that we haven’t done yet, or think we could be doing something better, feel free to open an issue in the repository linked below.

New MyBB responsive design

Official Demo Site

You may or may not know this, but we keep the community forum as vanilla as possible so users can get a feel for what MyBB is, right out of the box. Unfortunately this limits some decisions we make where improving the community forum is concerned. Not only that, but it limits how users can explore a vanilla MyBB installation as well. We are going to be creating a demo website to solve both of these issues, allowing you as users to browse a clean installation of MyBB easily. Obviously these demo installs will be lacking a couple of features that a full blown install contains, such as the ability to install custom themes and plugins – this is purely a security precaution.

Providing a clean demo system for users also opens up the possibility for more changes to be made to the official community forum – such as updating the styling to fit in with the rest of the website – in the future.

You can expect work to begin on this project after the new website has launched. Stay tuned for further updates!

MyBB Extensions

Approval Process

It’s no secret that getting a modification approved on the MyBB website can be a slow process. The main offender for this is our mission to make sure submissions are safe and of good quality, which means exploring the code and installing them for ourselves. This just isn’t a sustainable practice and results in a lot of frustration.

To speed up your addon submissions, we’re going to be easing our policy for allowing submissions. The policy has been published in our documentation, check it out at the following link.

Mod submission policy

If you find an issue with one of these unapproved addons, or even one that has been approved, please report it to us via the Private Inquiries forum so we can investigate properly.

Paid Modification Support

We are also taking a look into our support of paid modifications. In the past, these have been banned from being posted anywhere on the forum. Paid authors create some great things, so we’d like to embrace them more going forward. Our current solution is allowing paid modifications in the Requests/Services/Jobs forum, which you can find below.

We’re also considering the possibility of adding thread prefixes to the Requests/Services/Jobs forum in an effort to easily distinguish the types of services available. If you have any suggestions regarding these categories, we’re all ears!

MyBB R/S/J Forum

MyBB Software Development Path

After a lot of discussion internally, on the forum and in Discord, we’ve decided on the path that the MyBB software will be following leading up to MyBB 2. While we can all agree that MyBB needs to be more modern, rewriting it entirely from scratch is an enormous task and is taking much longer than we anticipated. Judging from the input from users, as well as discussion among staff, our best option moving forward will be to further bridge the 1.x series toward MyBB 2, while updating it to be more usable and modern.

MyBB Poll results

We have not decided on any specifics, but have discussed some of the following options:

  • Use Twig
  • Use Sass
  • New, responsive theme
  • Improved user experience, meaning changes like alerts or conversations

All that we know for now is that the MyBB 1.x line needs to be improved, and we need your help on deciding what exactly will be changing. If you’d like to join in on the discussion, head over to the forum thread we’ve been using to discuss the software.

MyBB 2.0 forum thread

Moving Forward

Overall we think these changes will help bring MyBB into the modern age, and make things a lot more fun to take part in. We love reading what you, the users of MyBB have to say and take it all into consideration. If you’d like to have a discussion with us, please hop on Discord and let us know about it!

Join Discord

MyBB 1.8.12 Released – Security & Maintenance Release

MyBB 1.8.12 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 3 security vulnerabilities and 14 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Insufficient permission check in multiquote feature – reported by frostschutz
    • Medium risk: CSV macro injection on PM export – reported by Rico A. Silvallana
    • Low risk: Weak password reset codes & false positives – reported by Devilshakerz

Please view the 1.8.12 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.11 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 9 language files and 9 templates were changed or added.

If you’re using MyBB 1.8.11:

  • Download and use the Changed Files Package
    • MD5: 9ebfae510ec51bc27f7b0062f4f99394
    • SHA1: d97f0e13799661b5811245030ef9e56c597086ff
    • SHA256: 17eab833ae6f1a7653d324da3866573437a566f0c2e4f7b4ceddb23795a933f0
    • SHA512: 1b10d9d85dca44a854783f1e37afbec2aac9d657689d09147d414ae41835386f4d97ea0c686edb06fd5de13d2a929bccf7af67fd8af7d95cddc009c6f81812d8
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.10 or lower:

  • Download and use the full 1.8.12 Release Package
    • MD5: aa0e92e5e55b69f33cab3401994f767a
    • SHA1: 1a406afbb9343145877b0382ab479dc5d17d7813
    • SHA256: a6decde96ae84a2f34a40c2f175172be163ca1fb294c5e4cef5a6396c3eb9f42
    • SHA512: c5292eab2b9a6dbefe1a696aecdb3202a7d4c9f27de3983ba975c3381aaadd775537f4bd5e389eee18ee2237506a2c8e8bb60e2ec7f0f48483335c8e3a6a5ce4
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB Forum Owner Interview #2 – spork985

This is our second interview for MyBB forum owners and it is spork985. Some of you may know of him from the forum and free mybb hosting website called IcyBoards. IcyBoards is featuring on this blog post and spork speaks to us exclusively about MyBB.

What features do you hope to see in MyBB 2.0 that would enable you to further develop your offering to the community?

There are a lot of plugins we have installed that make very minor changes to the software. I feel MyBB could benefit from rolling some of these ideas in to the baseline code. Some examples include a “users online today” section, defaults for profile fields, redirect warning when the user clicks an external link, latest profile visits, and profile comments. I realize the importance of separation with regards to what a forum is designed to do, but I feel many of these features should be part of the core code and wouldn’t take much to implement. This would substantially cut down on the amount of 3rd party plugins we need to make available, maintain, and worry about upgrading. In most aspects, less plugins also means a more secure forum.

What is your most favourite feature of MyBB currently?

My favorite feature has to be the “purge spammer” button. It’s such a simple concept, yet I feel the person who came up with it is a genius. I always hated those mornings when I wake up, am eating my breakfast, open the forum, and… oh, this dude posted the same message 3 times in every single forum possible. Now I have to spend the next 20 minutes going through and deleting them one by one. Thank you to whoever came up with and implemented this idea.

What is your LEAST favourite feature, and how can this feature be improved to better suit your personal requirements or wishes.

One area I feel could use a little improvement is managing group permissions assigned to forums. It’s very easy at first, but once you have an established forum and want to add a group or even see the overall permissions a group has, it gets complex fast. This is made especially apparent once you start setting custom permissions beyond what the permissions interface has. Unfortunately, I’m not the creative type and don’t have a good suggestion for improvement. I do think a button to copy permissions between two forums would be extremely useful and eliminate some of the tediousness in setting things up/tediousness in an established forum where you have dozens of forums and user groups.

What do you feel is done well at MyBB, and what would you like changing?

Simply put, the code. Most good coding standards are being followed. When debugging and/or modifying, it is very easy to know where to look and quickly troubleshoot issues. Any developer is going to understand the headache of picking up someone else’s poorly-formatted code and trying to work with it. With MyBB, there is no headache at all. As for what I would like to change, we can go down the whole “opening brace on the same line” road, but I have a feeling most are not going to agree with me judging by the standards that were decided upon for MyBB 2.0 Smile It really comes down to a matter of personal preference.

Looking at IcyBoards, why do you choose to solely host MyBB?

Most of the reasons just come down to personal preference, again. Before I started working on IcyBoards, I ran a few forums of my own. I tried several different software solutions, including phpBB, SMF, and PunBB. Honestly, I just didn’t like any of them. After IcyBoards was up and running for a few years, I did look at SMF hosting but the code was just… not fun. It was messy. Additionally, I decided that I would rather have one solid high quality service rather than have my time split between two separate services.

Do you plan to provide hosting for 2.0?

Absolutely. I am very excited to see what MyBB 2.0 brings to the table. IcyBoards is set up in such a way that we can host multiple versions of the software in parallel. We most likely will follow the same path we followed when MyBB 1.8 was released. Once MyBB 2.0 is made available in a stable release, we will begin providing hosting right away. At the same time, we will start working on a migration path for MyBB 1.8 users. We will continue to host and provide support for our MyBB 1.8 users as long as possible, if not indefinitely (to be determined).

What was the most challenging thing to accomplish while developing IcyBoards?

Believe it or not, the most challenging part of developing and running IcyBoards has been spam management. The majority of spammers are automated bots that join and post. They hit thousands and thousands of forums and sometimes make hundreds of posts per forum. If you’re an admin or moderator, it’s no problem. You log in and delete spam when you come across it. When you’re running a hosting service like IcyBoards, you are hosting tens thousands of forums on one system all sharing resources. When you get hundreds of bots making hundreds of posts on tens of thousands of forums, you get… a big mess. On top of this, you get old inactive forums where the staff are never logging in and the spam just accumulates. It’s not unusual for such forums to consume 30-40-50, or even more, gigabytes of database space. I developed several ways of detecting/blocking these posts over the past 1-2 years that have been working well.

Do you have anything to add that hasn’t been mentioned in the earlier questions or answers?

Most importantly, I would like to give a big thank you to all of the developers at MyBB. A service like this would not be possible without their long and hard work. Secondly, we are always looking for ways to improve our service and really appreciate suggestions. You may post suggestions in our thread in the “Showcase” forum.

MyBB 1.8.11 & Merge System 1.8.11 Release

MyBB 1.8.11 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 3 security vulnerabilities and 32 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • High risk: XSS Injection in Email MyCode – reported by Zhiyang Zeng of Tencent security platform department
    • Medium risk: SSRF protection can be bypassed – reported by Orange Tsai of DEVCORE and Jasveer Singh of SEC Consult Vulnerability Lab
    • Low risk: Directory Traversal in smilie module – reported by Zhiyang Zeng of Tencent security platform department

Please view the 1.8.11 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.10 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 5 language files and 7 templates were changed or added.

If you’re using MyBB 1.8.10:

  • Download and use the Changed Files Package
    • MD5: f99cdecf3d96c8c39441c81d8468e4f6
    • SHA1: 323bec46d3da051fe5e9899e1a4ffdd8e538b5f5
    • SHA256: f3a50f31dc6045e63ccad826fd4fa35f1240891238f4fbcdaeb724835cd58f4d
    • SHA512: 4d9018f2e1f286dd447e4c4db0ba9be18b1c407ed63272711d11deb6a09d7e301967917d465e368d8ebdd046cc0c7c5a23308b8ed72f8d5f9e9307ba6a81f8e3
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.9 or lower:

  • Download and use the full 1.8.11 Release Package
    • MD5: d4d3de795b69b076264a007e7a989f64
    • SHA1: 5ca8bf23a8efe0940bfe3c6fba852676144ea134
    • SHA256: c95cf770fffb37f811bee17a828cea8f0c789f22069c1783f3fb6f567fa7ca43
    • SHA512: 9db6ec3894cd66a26dffb5682109e25073148f1c885f2e0638be8c7d95eb2ba5e16db6dc66087431e919d849acdb7c2c11c95e247e99f6f8f44bcc19fe721015
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.11

MyBB Merge System 1.8.11 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

What’s new in this version?

Thanks,

MyBB Team

Note about updated packages

The original packages have been replaced by updated packages to fix a compatibility issue causing warnings on certain PHP environments.

If you installed or updated your forums using either the full or changed files packages prior to 19:00 on April 6, 2017 GMT please download a fresh package from the links above and replace the following file:

  • inc/functions.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB Forum Owner Interview #1 – Sharree

We recently contacted Sharree with an invitation to be featured as our first Big Board Owner (BBO) Interview. After seeing the results he has achieved with his MyBB forums, we were eager to hear his response. Fortunately for us, Sharree agreed to sit down and have a conversation with the MyBB Team.

storymunch

First of all, he has Sharree.com which is his first MyBB site, recently joined by a board which some of you may have recently seen in the Showcase section on the Community Forums — StoryMunch. The result of the advanced customization is amazing! Here are Sharree’s responses to our questions below.

What inspired you to create your sites?

Sharree is a site for small YouTubers to share and promote their videos. Being someone whose tried YouTube in the past, I know how disheartening it is to put a lot of time into a video and have little reaction or viewership. That is why I’ve aimed to create a platform that’ll ease the struggle for small beginner YouTube channels and bring more attention to them.

There were two MyBB powered forums back in 2013 that got me interested in the software. The first was LeeFish’s BlackCanvas project which was an image gallery for sharing abstract art, the other was brad-t’s Harajuju, a Japanese fashion community. Both sites were heavily customized using the XThreads system, prior to these two I had only seen traditional forums so I was absolutely amazed at MyBB’s capabilities and what could be achieved through the MyBB software. I was inspired by them both and in 2015 it lead to me selecting MyBB to power my site Sharree.com.

Do you have any exclusive plans for your sites?

Currently Sharree is a YouTube sharing platform that allows YouTubers to share and promote their content with other YouTubers. It has been a little over a year since the site’s launch and I feel it’s time for change. I’ve decided to expand the site further by allowing other sharing options including Twitch streams, SoundCloud tracks, Graphics, and Websites. I feel the site should have more leeway for content creators, not just catering to YouTubers. There is so much talent out there that deserves to be discovered, so I hope to make Sharree the hub for all content creators to share their talent whether it be entertainers, musicians, artists, or any other craft. I am seeking more forum growth with these changes. Along with this expansion I am developing a new flat theme inspired by Dribbble, Flarum, and Shade’s MyBBoost. I have been working on these changes and I’m looking to have them implemented by early March 2017.

What do you like about the MyBB software that allows you to create your sites as you desire?

I love the flexibility of the software and the freedom in customization. To be able to develop themes, modify templates and have extensive plugin choices has allowed me to create my site as I desire. If it wasn’t for MyBB’s freedom, I would have likely selected another software. Being someone who had minimal CSS, HTML, PHP, and SQL knowledge prior to Sharree, my coding knowledge is completely self-taught through the flexibility of the MyBB software. Being a complete beginner, the ease of use of the software was a bonus. Navigating the Administration panels becomes increasingly easy over time and once you’ve adapted to the software it becomes your playground for creating anything.

What would you recommend to people looking to start a forum?

With giant platforms like Google+, Reddit, and Facebook groups, social communities for any topic have become readily available and can be created by anyone with ease. I’ve heard people say “There’s a Reddit for everything” or “There’s a Reddit for that”, the fact is giant platforms like Reddit have made it increasingly difficult for starting forums to gain traction. I feel because of these giant platforms, forums have become less popular and relevant compared to the 2000’s. Despite this added difficulty for new forum owners, getting a new forum on its feet is not impossible. Creating and launching a forum is the easiest part, I feel less thought goes into pre-development planning and having a marketing plan for post-development. Have everything thought out and thoroughly consider if your forum concept is something that the internet needs and is worth creating. After development, marketing becomes the bedrock of your forum, without it your forum will have no activity. This was the area where my focus was lacking in past projects and it is where I see most new forum owners lacking as well. Posting your forum in Showcase sections of web-development boards, begging users to join, and shutting down after a couple of months is not a marketing plan. Invest your time into your project, do your research, if you believe in your project then don’t shy away from spending some capital, and don’t jump ship when things don’t go as expected. This is what led to me becoming a Big Board Owner.

What method(s) did you use to gain activity on your forums?

After launching my site I began contacting YouTubers individually, telling them about my site and what it offers. I’ve created a website for those struggling and talented YouTubers who deserve to be brought to the forefront. The site’s concept is something that YouTuber’s really needed and it had many of the people I contacted rushing to join the site. The growth at the beginning was quite slow but seeing many of the positive comments from the YouTubers I contacted, I became more and more confident with the site. The method that brought the most activity to my forum is influencer marketing, in May 2016 I began contacting larger YouTubers who’d recommend my site to their subscribers. I was hesitant about the cost but the turnout was amazing as the forum surged with activity. The sudden influx of users had me upgrading my webhosting plan three times in one day. With the increased activity I began offering users an incentive for creating videos about Sharree where their YouTube channels would be featured in the header of the home page. As of February 2017 there are over 6,000 video results for Sharree.com, all helping bring further activity to the forum.

What do you like most about the MyBB software?

What I like most about MyBB is the freedom in the software. Being able to play around with templates allows me to mold the software into something unique that stands out from ordinary traditional forum layouts. Plugins like XThreads and Template Conditionals by ZiNgA BuRgA are examples of the extensibility that the MyBB software offers, I don’t think turning a forum into a complete video, music, or image gallery would be possible with any other forum software.

What is one thing that you regret most during your development time?

One thing I regret is when my forum began getting a lot more activity, I panicked. Initially I was running the forum on my own with my friend Bobby helping with moderation. With the amount of reports we were getting we really needed more staff members, and we needed them fast. Instead of having applicants and selecting users best suited for the position, I chose the first users who volunteered. It was a disaster. To new forum owners, this should be obvious but I recommend you think thoroughly before giving users moderator privileges.

How much time and effort do you put into maintaining the boards?

On average about 20-30 hours a week are spent maintaining the board, sometimes more if big changes are being made or site updates are being implemented. Although most of the site’s development is done by me, I have to thank my staff team Jennifer, Shayne, and Ryan who help generate new ideas for the forum and ease the workload by voluntarily moderating the site on a daily basis. I’d also like to thank Sharree’s Mentor Team who voluntarily assist users by offering advice as well as their guidance.

Can you share on your forums’ profits?

I do not wish to reveal the exact amount I’m making through the forum, however to give you some idea of my forums’ profits: After one year of running the forum I felt secure enough to leave my part-time job and focus on my forum full-time. I am very grateful for my users as I am currently able to pay for my schooling without taking any student loans.

What are you hoping 2.0 will bring to a site like yours?

I am unsure if I will be upgrading Sharree to MyBB 2.0, it may be difficult to transition to the new version. Plugins that are essential for my forum’s functionality may need to be modified or completely rewritten although that cannot be answered until MyBB 2.0 is released. Based on the screenshots, videos, and demos I am very excited for its release. I will definitely download and experiment with MyBB 2.0 when it’s released, possibly using it in a future project.

Introducing the new Extend MyBB platform

This past October, we announced a comprehensive update was in the works for Extend MyBB. Today, we are pleased to announce that those changes are now live. As we mentioned then, the entire Extend MyBB platform has been completely redesigned with a new, far more intuitive user interface.

The majority of the functionality remains the same; however, there have been some notable changes and improvements worth mentioning.

What’s changed?

New build review process

Previously, when a new build was uploaded, it was marked as a dev build. These builds were available for download to the public. You could then mark a build as stable, which would then place the build in a queue for a member of the MyBB staff to review. This queue often became long, leading to siginifcant delays in reviewing builds. Additionally, the distinction between dev builds and stable builds was not abundantly clear.

Starting today, for both new and existing projects, you will be able to mark builds as development or stable at any time without any review from MyBB staff. Instead, there is a new Reviewed by Staff badge and queue, separate from the dev/stable status, to distinguish builds that have been reviewed by the MyBB staff. Both dev builds and stable builds can be submitted for review by MyBB staff. Whether or not a build has been reviewed by MyBB staff is indicated on the build’s download page.

All builds that, prior to today, had been marked as stable are now also marked as Reviewed by Staff.

Build version numbering

You can now specify a version number for each build rather than relying on the change logs and build numbers to differentiate between builds. Build version numbers do not have to be unique, meaning, for instance, you can upload development builds of a new version of a plugin before uploading a stable build with the same version number. When uploading a new build or editing an existing build, you also have the option of automatically updating the project’s version number to match the build you are uploading or editing.

Recommendations are now Stars

Recommendations have been renamed to stars. The functionality is identical; however, you can now see a listing of all projects that you have starred by going to your My Projects page and clicking on Stars. We felt the name change was appropriate given this added functionality.

Select multiple categories

There are often plugins (and themes) that fall into multiple categories. Previously, you were required to select a single category that best described your project. No more. You can now select multiple categories for plugin, theme, and graphics projects, or, if none of them fit, you don’t have to select any category (eliminating the “Miscellaneous” categories). Most of the plugin categories remain unchanged; however, theme categories have changed significantly and most themes will need to select a new category.

Translations improvements

In an effort to make finding the MyBB translation for your language easier, we have streamlined translations projects to ensure they will be more consistent moving forward. Translations can no longer upload preview images; instead, there are a number of pre-defined languages with pre-selected flags that you can choose from when uploading a translation. If the language for the translation you are uploading is not available, you can manually specify the language. However, we encourage you to contact us in Private Inquiries so your language can be added to the drop down menu, allowing a flag to be displayed alongside your translation.

Changes to preview images

Preview images can now be re-ordered rather than being displayed in an arbitrary order. Additionally, we now recommend you upload a square image of at least 200px x 200px for your cover image.

Additionally, due to changes with thumbnail sizes for all preview images, it is highly recommended that you re-upload your preview images so that the thumbnails can be re-generated at the appropriate size.

Wrapping up

A lot of time has been spent in redesigning and improving the MyBB Extend platform and we hope you find it easier to use. While it has undergone significant testing, it is still likely that there will be a few bugs in the upgraded platform. Please post about any bugs or issues you experience in the MyBB.com Community & Site Issues forum, including detailed instructions on how to reproduce the bug.

Enjoy!

Organizational changes in the MyBB Project

As the MyBB 2.0 development gains traction again — a joint effort of the Team and our technical Community — we are passing an important milestone in the area of the Project’s organization. Entirely new concepts, de-facto standards and unspoken rules, either improving the fluency within the Team or aimed at increasing MyBB’s maturity (and sometimes both), are being continuously brainstormed. We would like to share our progress so far in areas we are confident about.

PSR standards conformance from MyBB 2.0

World Standards Day / International standards day is celebrated internationally each year on 14 October. […] The United States held a 2014 U.S. Celebration […] on 23 October […].

Currently our coding standards are rather specific when compared to other projects in the PHP Community, and may be perceived unnatural (exhibit A: 1.8 development standards) — starting from 2.0, MyBB’s source will be fully conformant with PSR standards. While this means that we will be inevitably choosing a standardized side in one of the greatest arguments in the history of programming, which we have been avoiding for some time (exhibit B: 2.0 Dev Post #5), this decision will assure that our code preserves compatibility of coding style with other PHP projects and frameworks. This should lessen the confusion in Pull Requests and allow new contributors to adapt more easily.

Secure connections to *.mybb.com websites

A simple visit to any of our websites involves many platforms and servers: by connecting to our Documentation on docs.mybb.com, your requests go through our reverse proxy (currently provided by CloudFlare) to hit our Jekyll-powered website hosted on GitHub Pages from the Docs repository, whereas requests to the Blog you are reading this article on go to WordPress.com platform servers instead after following a similar path. Spreading our web presence in such decentralized manner has great advantages with independent availability being the most significant one, however maintaining them all becomes more complicated and introduces security risks with each addition.

In order to aid that, we have launched efforts to start enforcing HTTPS traffic to our websites and inserting security-related HTTP headers — although we don’t control external servers, we were able to set up the most important redirects and directives using the reverse proxy; these changes, combined with Subresource Integrity hashes for external content served on mybb.com and docs.mybb.com, provide a reasonable level of security given access limitations for any project that decides to set up their infrastructure in this fashion. If you happen to randomly browse the Chromium source code, you will discover that the mybb.com domain is now present on the HSTS preload list, making derived browsers enforce HTTPS upon first visit out of the box, helping our case a great deal.

Having control over the server hosting the Community forums and download Resources, we set up additional security headers that are now sent to the browser from both locations and our MyBB installation to serve cookies with the Secure flag, a feature shipped with MyBB 1.8.10. By using a MyBB plugin with a Node.js proxy server, external resources on our forums are now being delivered to users over a secure connection, resolving the issue of insecure content and enhancing their privacy by eliminating the necessity of downloading data directly from third party servers. Even when either one breaks, the Content-Security-Policy header will prevent insecure content from being loaded (the next major version of MyBB will make it possible to include all common security headers, as we will be aiming to eliminate obstacles like inline JavaScript).

You can take a closer look at the gritty details of our current setup here and here.

Team members’ PGP keys now available

The transition of our development process, now headed towards MyBB 2.0, largely impacts the organizational matters of the Project itself — one of recent preparations for an improved release management protocol that are easy to spot is the rollout of PGP keys that can be used to contact Team members, if you have a feeling that your messages sometimes have more recipients than they should (or if you’d rather be safe than sorry and use it out of principle, like we do). These can be found on our refurbished Team page that now also links accounts on social media, acting as backup channels of communication.

Packages integrity and authenticity measures

While keys and fingerprints present themselves excellent on our website, they won’t be used (only) for aesthetic purposes: we will start signing MyBB releases. Designated Team members will be able to submit a public key that will be added an announced on our website and and social media feeds for transparency purposes.
Further, while the hashing algorithm used for internal file verification and passwords in MyBB 1.8 is weak in today’s standards due to the codebase’s age, there is a lot of room for improvement when it comes to verifying the packages. If you’ve been paying attention to the release notes, you’ve probably noticed that we started publishing additional, stronger checksums for each release package as of MyBB 1.8.8. These actions are intended to provide webmasters with a degree of confidence when it comes to integrity of MyBB packages while still maintaining focus on the development of MyBB 2.

Vulnerability assessment with CVSS v3

We always have been trying to provide as much information as we could when it came to security patches after an update, however we were not quite satisfied with limiting the security issue index to a simple low-medium-high scale used in MyBB 1.x. MyBB’s RFC #9 has established one of major foundations of the security process, starting with MyBB 2.0: Each vulnerability fixed in given release will have a CVSS v3 score assigned, as specified in the Common Vulnerability Scoring System, V3 document. The 8 basic metrics will allow us and any third party user, team or organization to assess the exploitability, scope and impact of vulnerabilities and to adjust the rating by adding extra details within the same scale using Temporal and Environmental Metrics, allowing system administrators to prioritize and organize proper responses. For example, a SQL Injection vulnerability in the Moderator Control Panel could be assigned a score of 6.3 (Medium) comprising of base metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, all of which would be published in release notes of corresponding releases.

Spotlight on security research

Another significant part of the Project’s organization plans is to launch a Security Hall of Fame. Researchers reporting security issues and vulnerabilities, provided they follow responsible disclosure standards, will be placed on a dedicated list in recognition of their time and cooperation. In accordance, MyBB will promote post-incident analyses and write-ups, aiming at increasing security awareness and promoting community-based code reviews. To supply you with latest details and articles related to MyBB’s state of security, we have launched a dedicated, technical Twitter feed — make sure to follow @mybbsecurity to let us help you maintain a strong grip over your board’s security.

MyBB 1.8.10 Released – Maintenance Release

MyBB 1.8.10 is now available from the MyBB website, and is maintenance release.

What’s added/changed in this version?

This release fixes 22 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

We’ve decided to publish MyBB 1.8.10 only 3 weeks after the previous release to fix an issue breaking some Javascript-based features that was introduced with MyBB 1.8.9.

Please view the 1.8.10 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.9 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 5 language files and 11 templates were changed or added.

If you’re using MyBB 1.8.9:

  • Download and use the Changed Files Package
    • MD5: 9695cb97ff6928640c72436ce3667b05
    • SHA1: 16fd567b118525e0619c6749f27da96c8ceec1a9
    • SHA256: 6eae4b078283a533797ee9692d436b45309c79af4657c9885f79606c50365ec3
    • SHA512: 124cdafcfad72a72ad71d8bbab1c30c335e20edfa89af1976963531e7bebcfdcb4e353a11191d3ef3b2af66effe402e30e093f52c3bea3b3e17d68f6247ba7d9
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.8 or lower:

  • Download and use the full 1.8.10 Release Package
    • MD5: 40868d918262384ce4c1d31399f66b4d
    • SHA1: 192f0c7949e867c800bafd06640bf4b7d1cac6ea
    • SHA256: 34907b26e7534327b828ae7d98d4ab9e5184f985ef8c155fd2b8690809ce6dc0
    • SHA512: cb4584f00c60b757f9ce72e16a8eb8596cc8d4d22bed38085b6967706ab08c1c1bdeb7effba578c388156b57862266a8b30ce181c47968ddb1c1ce7691bec66b
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated packages

The original packages have been replaced by updated packages to fix an issue causing incorrect last post information on index.

If you installed or updated your forums using either the full or changed files packages prior to 20:00 p.m. on January 12, 2017 GMT please download a fresh package from the links above and replace the following file:

  • inc/datahandlers/post.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB 1.8.9 Released – Security & Maintenance Release

MyBB 1.8.9 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz

Please view the 1.8.9 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.8 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files and 85 templates were changed or added.

If you’re using MyBB 1.8.8:

  • Download and use the Changed Files Package
    • MD5: cd4f736ef9c3b20136203350468ad23d
    • SHA1: 3208c50d35aacc9d51d195de8ccc33aed1e3b1c6
    • SHA256: c153236148457ae1ea2a62b8c7c15a11a093ab436ae6ea416c8cf9ca2bf53687
    • SHA512: 1e16aeae125a1e2edf966866d53c51ce9b5d7568214c6244efc4976d4af16186e3f9f10f8eafbd5f5de3210a1fada6635fea7c97bb09afe3d1c9bf3e368bfa3d
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.7 or lower:

  • Download and use the full 1.8.9 Release Package
    • MD5: b1a8fbdb4d8a888f7757be14cd658662
    • SHA1: d30f95de2e2142a46e4a34e0d26a8d3f5762cb22
    • SHA256: cc4a015edb96b587a74b3d54c00bf2ecd4be6ff2efec8b24caae90c538b42e89
    • SHA512: b18ffd2797f2f6fc775fda7b47c6d4b63d36f0e8c57ee1ce6797de8e600f741df2cc1bce713723b12d2374e723289641ab3a10248f5ba53672f5765bed836056
  • Follow the Docs Upgrading Instructions

To update existing themes the following CSS code needs to be added to global.css:

.deleted_post_hidden {
	border-top: 2px solid #ccc;
	padding: 15px;
}

.deleted_post_collapsed {
	border-top: 3px solid #333;
	padding: 15px;
}

.deleted_post_collapsed .show_deleted_post {
	margin-top: -15px;
}

.deleted_post_collapsed .show_deleted_post a.button span {
	background-position: 0 -400px;
}

Note: JavaScript-related bugs discovered
We have found that some JavaScript-based functions (like the inline moderation) may not work properly under MyBB 1.8.9. Please refer to the Community thread for detailed instructions on how to patch the code while we prepare a fixed package.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team