MyBB 1.8.17 Released — Maintenance Release

MyBB 1.8.17 is now available, and is a maintenance release.

This update fixes several issues introduced by MyBB 1.8.16 such as not being able to log into forums.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.16 Released — Security & Maintenance Release

MyBB 1.8.16 is now available, and is a security & maintenance release.

This update includes compatibility fixes for database engines and recent PHP versions as well as performance and global security improvements. Note that the theme’s CSS files may need to be updated. If you use the login_attempt_check() function, note that its signature has changed.

 

  • 6 security vulnerabilities addressed:
    • High risk: Image & URL MyCode Persistent XSS — reported by Punisher_HF
    • Medium risk: Multipage Reflected XSS — reported by Dimaz Arno of Ethic Ninja
    • Low risk: ACP logs XSS — reported by Cillian Collins
    • Low risk: Arbitrary file deletion via ACP’s Settings — reported by Devilshakerz of MyBB Team
    • Low risk: Login CSRF — reported by Cillian Collins
    • Low risk: Non-video content embedding via Video MyCode — reported by Punisher_HF
  • 66 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

 

Issues on Upgrade?

 

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 2.0 is being put on hold

The community spoke and we are listening.

Effective immediately, the MyBB team will be putting 2.0 on hold and working towards a more viable & gradual approach to rewriting the core software. Rather than a total rewrite all at once that could take years to complete, we’re going to roll out smaller updates in a quicker fashion. Starting with MyBB 1.9 and onwards, each release (1.10, 1.11, 1.12, etc.) will have new features and rewritten code until we reach the ultimate goal of a totally rewritten and modern forum software.

First up is MyBB 1.9. This update will feature a responsive theme built on a new and improved, Twig template system. This system will allow template conditionals, variable loops, template includes, and much more. Along with a new theme and template system, we’re reworking & improving all of the javascript code and moving it from being inline with the theme to external files. Doing this will make it easier to manage and allow site owners to more easily implement better Content Security Policies on their forum.

In addition to the theme work outlined above, we’re going to be replacing SCEditor with TinyMCE as well as introducing the Swiftmailer mail handler. TinyMCE should be a vast improvement to the overall user experience compared to the current editor we’re using in the 1.8 series. TinyMCE is well-supported & maintained, modern and easily extensible with plugins if you’re looking for extra functionality. Swiftmailer will improve our core email functionality and should integrate better with most SMTP hosts. Swiftmailer will also allow us to retry sending failed emails, add attachments, use the BCC & CC functionality, support servers that require usernames & passwords and/or encryption and much more.

We are excited to embark on this path together with the end goal being to restore MyBB’s place as the best forum software available today— free or commercial.

Thank you for you feedback. Please continue to voice your opinion about the things that are important to you. We are all in this together!

Follow the links below to view the MyBB 1.9 repository and MyBB 1.9 forum topic, respectively:

MyBB 1.9 RepositoryMyBB 1.9 Forum Topic

Building software packages with Docker and Phing

Every meaningful set of development activity in open-source projects like MyBB is followed by an official release that merges in additional lines of production, like security updates, and wraps it up with descriptions and instructions easy to understand for non-developers and site maintainers. Currently the most popular way of distributing updates to PHP-based software is file packages: project managers have to scramble to gather and bundle all files and associated documentation while site administrators are expected to keep track of (and sometimes interpret) this information.

This, to convenience of site administrators and ours, is planned to improve upon adoption of concepts like continuous integration that put emphasis on making all products deployable after every change to the code, and the integration of tools like Composer, which ease the pains of managing third-party solutions and allow to separate one big product into small, handy modules. Even though conveniences like fully automated updates will take time to become reality with informal open-source projects (where the technicalities are much easier to implement than procedures that provide a reasonable level of security), MyBB moves closer to that with eliminating manual tasks covering a broad range of activities that precede each release—the last 4 versions of MyBB (starting with 1.8.12) have been build using the recently published package builder.

The MyBB build repository

Rewriting Memos in XML & PHP

The core part of the builder’s logic is Phing, an Apache Ant-based PHP task build system. This engine enables developers to specify operations related i.a. to git & patch (extensively used to apply sensitive patches before the release), file encoding and archiving saved in an XML build file. It’s also used to call sub-scripts that list changed files and calculate archive size and checksums, but also perform some project-specific operations like counting modified language files, searching for templates that changed between versions or update plugin hook locations with line number precision. Since the Jekyll-powered MyBB.com website is generated from Markdown & Front Matter data files, the builder also prepares the version’s YaML metadata ready to be put into the repository allowing Release Notes and the Release Blog Post content to be generated.

You Want to Run it on What?

Another important role plays Docker, a platform introducing container systems. You might recognize it from the recently put out image recipe that can be used to deploy MyBB 1.8, however this environment is also used whenever packages need to be assembled. No matter who, where or when participates in the building process, they should be able to use the same precisely defined tools—by running the script inside a container we can assure a degree of confidence in that, given the separation from the host operating system. Our Docker image, based on a trimmed down version of Debian, contains an unsuspicious development toolset including basic packages and a PHP interpreter with customized configuration and the strip-nondeterminism tool that normalizes the output to make it possible to arrive with byte-to-byte equal archives identified by matching checksums. This practice is called build reproducibility which will serve as a vital part in download verification.

Real output (with real git errors) when building MyBB 1.8.15 packages

Visit the mybb/mybb-build repository to set up own production line basing on our code and compare against the latest MyBB release packages (starting with 1.8.15, releases on GitHub include a build package with input necessary to reproduce the output).

The MyBB build repository

Automated packaging does not only leave more time for other aspects of running large-scale projects, but also assures that every update is brought to users without potential mistakes that could have been made otherwise with manual assembling. Furthermore, whenever mistakes are spotted, the archives can be quickly rebuilt and pushed out—less emphasis will be put on singular releases and more on their continuous delivery with seamless upgrades that MyBB will be working on.

MyBB 1.8.15 Released — Security & Maintenance Release

MyBB 1.8.15 is now available, and is a security & maintenance release.

This update includes compatibility improvements for PostgreSQL and recent PHP versions as well as minor optimizations.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB Support Policy Changes

MyBB 1.8.14 Released — Security & Maintenance Release

MyBB 1.8.14 is now available, and is a security & maintenance release.

This update applies security patches and fixes minor issues related to the upgrade script included in the previous version.

  • 2 security vulnerabilities addressed:

    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 2 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8 Dockerfile & Docker Compose Recipe

With the recent announcements of the 1.10 branch we’ve also got some great news for both plugin developers and theme designers. In recent weeks, work has been underway to create an official Docker image for the MyBB 1.8 series. This work has been taken on by a community member who proposed such a solution and set to work on getting it done. Also provided within the repository are two example docker-compose.yml files, to be used with Docker Compose or Swarm. Docker is a technology for creating lightweight containers to manage and orchestrate software. It works across multiple platforms, and makes it easy to quickly get a live instance of the current MyBB version running with a variety of different configurations without requiring much effort to install database management systems and such on your machine. Docker is a brilliant tool for developers to quickly prototype ideas in a fresh, consistent environment. You can find out more information on Docker here.

Developers can immediately download and start using the current MyBB 1.8.13 Docker image from our official Docker Hub registry account (found here) by running the following command:

docker pull mybb/mybb:latest

Alternatively, for those who would like to view the source, make amendments or just generally prefer to build their own images – you can view the official GitHub repository here. Ample instructions for use are provided within the README.md file. This project is far from complete and we do not recommend it for production use, only for development and staging systems. MyBB’s current installation and upgrade systems make full automation with Docker a difficult feat to accomplish but we’re hoping to include easier ways to do this in the future 1.10 series of releases.

We hope that avid plugin and theme developers make good use of the Docker images that we’ll be releasing and improving upon, any and all constructive feedback (and pull requests!) is welcome.

MyBB 1.8.13 Released — Security & Maintenance Release

MyBB 1.8.13 is now available, and is a security & maintenance release.

This update includes fixes related to compatibility with PostgreSQL, SQLite and PHP 7.2 and resolves attachment HTML output problems. Note that the theme’s CSS files may need to be updated. Please see this post on the community forum for more information.

  • 7 security vulnerabilities addressed:
    • High risk: Installer RCE on configuration file write — reported by pabstersac
    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Medium risk: Installer XSS — reported by pabstersac
    • Medium risk: Mod CP Edit Profile XSS — reported by Julian Rittweger
    • Low risk: Insufficient moderator permission check in delayed moderation tools — reported by Starpaul20 of MyBB Team
    • Low risk: Announcements HTML filter bypass
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 62 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.

If you would like to contribute to the Project, Get Involved.

Thanks,

MyBB Team

A Fresh Perspective

Blog header image

MyBB has been making some changes lately, and if you haven’t noticed we’re here to give you the scoop. Discussion about bridging 1.x closer to 2.0 has been settling, and as such we have decided on the best course of action moving forward. This comes with some other updates, including the main site going responsive, our blog getting way more fun, setting up an official demo site, and speeding up that darn extension approval process.

MyBB.com

If you’ve browsed our site lately on mobile, you may have noticed that it can be a real pain to navigate. We believe it is time to change that. Rather than awaiting MyBB 2 to bring our website into the modern age, you can expect it to be updated very soon. The new site will feature a few things:

  • Modern Design – We are making sure to get the site up to modern design standards.
  • Fully Responsive – This is part of a larger goal to get all MyBB products responsive, we’re starting with the main site.
  • SEO – Finding pages on MyBB should be a much better experience through search engines.

If you have some time and want to leave some feedback, or if you just want to look at the new design, please visit the thread or repository linked below. Thanks!

New MyBB responsive design New MyBB responsive design repository

Blog

Our blog will be getting some love as well. We’re now creating our blog posts via a repository on GitHub, so you can help (Or just get a sneak peek at what the next blog will be about). If you have an idea for a blog post that we haven’t done yet, or think we could be doing something better, feel free to open an issue in the repository linked below.

New MyBB responsive design

Official Demo Site

You may or may not know this, but we keep the community forum as vanilla as possible so users can get a feel for what MyBB is, right out of the box. Unfortunately this limits some decisions we make where improving the community forum is concerned. Not only that, but it limits how users can explore a vanilla MyBB installation as well. We are going to be creating a demo website to solve both of these issues, allowing you as users to browse a clean installation of MyBB easily. Obviously these demo installs will be lacking a couple of features that a full blown install contains, such as the ability to install custom themes and plugins – this is purely a security precaution.

Providing a clean demo system for users also opens up the possibility for more changes to be made to the official community forum – such as updating the styling to fit in with the rest of the website – in the future.

You can expect work to begin on this project after the new website has launched. Stay tuned for further updates!

MyBB Extensions

Approval Process

It’s no secret that getting a modification approved on the MyBB website can be a slow process. The main offender for this is our mission to make sure submissions are safe and of good quality, which means exploring the code and installing them for ourselves. This just isn’t a sustainable practice and results in a lot of frustration.

To speed up your addon submissions, we’re going to be easing our policy for allowing submissions. The policy has been published in our documentation, check it out at the following link.

Mod submission policy

If you find an issue with one of these unapproved addons, or even one that has been approved, please report it to us via the Private Inquiries forum so we can investigate properly.

Paid Modification Support

We are also taking a look into our support of paid modifications. In the past, these have been banned from being posted anywhere on the forum. Paid authors create some great things, so we’d like to embrace them more going forward. Our current solution is allowing paid modifications in the Requests/Services/Jobs forum, which you can find below.

We’re also considering the possibility of adding thread prefixes to the Requests/Services/Jobs forum in an effort to easily distinguish the types of services available. If you have any suggestions regarding these categories, we’re all ears!

MyBB R/S/J Forum

MyBB Software Development Path

After a lot of discussion internally, on the forum and in Discord, we’ve decided on the path that the MyBB software will be following leading up to MyBB 2. While we can all agree that MyBB needs to be more modern, rewriting it entirely from scratch is an enormous task and is taking much longer than we anticipated. Judging from the input from users, as well as discussion among staff, our best option moving forward will be to further bridge the 1.x series toward MyBB 2, while updating it to be more usable and modern.

MyBB Poll results

We have not decided on any specifics, but have discussed some of the following options:

  • Use Twig
  • Use Sass
  • New, responsive theme
  • Improved user experience, meaning changes like alerts or conversations

All that we know for now is that the MyBB 1.x line needs to be improved, and we need your help on deciding what exactly will be changing. If you’d like to join in on the discussion, head over to the forum thread we’ve been using to discuss the software.

MyBB 2.0 forum thread

Moving Forward

Overall we think these changes will help bring MyBB into the modern age, and make things a lot more fun to take part in. We love reading what you, the users of MyBB have to say and take it all into consideration. If you’d like to have a discussion with us, please hop on Discord and let us know about it!

Join Discord