Securing your MyBB forums with HTTPS

The Web has been using encrypted WWW connections for over two decades now. First used by entities processing critical information on the Internet like banks and online shops, https:// is progressively becoming the protocol an everyday user would expect as of 2016: the Google Transparency Report shows that the average number of page loads over HTTPS has exceeded 50%, similarly to telemetry data trends from Mozilla, aided by Let’s Encrypt, a new certificate authority issuing free certificates since April.

With the dependency on Internet communications heavier than ever, simple and common mistakes often result in leaks and breaches that endanger not only the security or integrity of services, but also the privacy of their users: passwords, real names, locations, e-mail and IP addresses, browsing patterns and other personally identifiable information. Even static websites receive such data and the argument of not expecting to process sensitive information is not valid.

TLS has exactly one performance problem: it is not used widely enough.
Everything else can be optimized.

The range of possible attacks on unsecured websites is broad and you may not always be aware of the risks of providing and using websites using the unencrypted version of HTTP. Simply launching a rogue Wi-Fi hotspot in a public place can allow anyone to intercept raw traffic without much hassle. Similarly, Internet service providers and mobile network operators can allow governments to put their hands (however tiny they might be — the governments, of course) on your data regardless of intent or permissions, be forced to do so by the law or have their communications eavesdropped by passive interception of traffic.

Besides protecting services and people, upgrading the protocol has many upsides — the new HTTP/2, increasing the speed of web connections, is available only when used with encryption; using HTTPS, Google will prioritize your website in the search results. Encrypted transmissions mean that nobody will be able to manipulate your pages to inject malware or own ads, which is often the case with public access points or airplane connections. In order to push the adoption of encryption, major browsers will start notifying users of the dangers resulting from using unsecured websites. MyBB is proud to support this movement of creating a faster and safer web.

Chrome for Android UI's HTTPS indication

Secure connection to the Community forums — so claims Chrome for Android

The HTTPS setup tools are being constantly improved and the process is getting easier and faster, moreover you can find numerous guides and tutorials for different platforms and scripts. What’s been missing though, is a list of steps specific to MyBB because not every board administrator is experienced enough to make use of instructions that are either very generalized or very specific — for scripts other than ours.
Having jumped into the rabbit hole of technical details of securing our project’s websites and climbed back (which we’ll shed light on soon!), we created a comprehensive guidebook on enabling HTTPS that covers the most vital aspects of securing boards you manage.
We strongly recommend all webmasters and administrators upgrade their installations if they’re not running on HTTPS yet as soon as possible and encourage to consider the security and privacy of their users with utmost importance: every secured location makes a difference in today’s interconnected web.

Setting up HTTPS — MyBB Documentation →

Project Updates November 2016

As there have been a number of changes to both the team structure and some development going on, we thought it was time to share some updates on what’s been happening behind the scenes.

Team Changes

There have been a number of changes to the structure of the team over the last couple of months, with a few people leaving, some fresh new faces and some familiar faces returning to the team.

Resignations

We wish farewell to the following team members, and thank them for all of their hard work and contributions:

All of these members left the team because they had limited time. We wish them all the best and we would welcome them back should they find the time to contribute to the project again.

Additions

As well as departures, we also have some new (and some not-so-new) faces joining the ranks.

  • dragonexpert – Recently joined the support team again! He has been helping clear the mods queue since he rejoined the team and we can only thank him for his hard work so far.
  • Shade – Shade has rejoined us on the SQA team, we welcome him back and we are sure that he will contribute to the project.
  • Brad-T – We invited brad to the team to help share his community management expertise with us. We are sure he will help with community issues!
  • Matslom – If you have been following the 2.0 GitHub repo you will see Matslom has been contributing for some time now, including coding the warning system.
  • Wildcard – Another old team member who joined us back, we welcome him back and we are sure he will contribute fully.
  • JordanMussi – Jordan is also a old team member who has joined the community team, We are glad to have him back on board!

Mods Site Queue

It has been no secret for a while that we have had quite a back log of modification submissions waiting to be checked by the team as part of our extensive approval process. With a special thanks to dragonexpert and shade, the mods queue has taken a severe beating over the last couple of weeks, with there being no projects waiting for review for a short time for the first time in a long time!

As ever, if you’ve submitted a project and not heard anything about it being approved or denied, please do feel free to create a new topic in the Private Inquiries forum.

1.8 Development

Over the recent weeks we have had a lot of development progress on the MyBB 1.8 series. A lot of issues have been either getting PR’s fixing them or we have been rejecting them due to the age of the 1.8 series. We have also been reviewing the 1.8 bugs forum and highlighting any issues we felt need to be fixed. We are looking to get the issues on GitHub to current issues that need to be fixed before we move complete focus (except security fixes) to 2.0. Due to the high amount of bug reports we have been unable to reply to every issue but we have compiled an internal list and we are looking at this.

2.0 Development

Recent development on the 2.0 series has been slow, but recently we have seen a large increase in contributions from outside the team. Matslom (who has since joined the team), for instance recently submitted a great Pull Request to add a warning system to 2.0 which has now been merged into the main branch. Additionally, Paradigm has been working on implementing an installer system for 2.0 – something that has been planned for a while and kept being bumped down the priority list.

A lot of the discussion around these developments has been happening on the #20-development channel on the MyBB Discord server, and we would encourage anybody interested in contributing to the development of MyBB to pop in and see what’s going on!

MyBB 1.8.8 & Merge System 1.8.8 Release

MyBB 1.8.8 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Style import CSS overwrite on Windows servers – reported by patryk
    • Medium risk: SQL Injection in the users data handler – reported by afinepl
    • Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski
    • Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam
    • Low risk: Stored XSS in the ACP – reported by patryk
    • Low risk: Loose comparison false positives – reported by Devilshakerz
    • Low risk: Possible XSS injection in ACP users module – reported by afinepl

Please view the 1.8.8 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.7 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 23 language files and 64 templates were changed or added.

If you’re using MyBB 1.8.7:

  • Download and use the Changed Files Package
    • MD5: 43028accb46eecf8016ef5fdc4fe522a
    • SHA1: 2c9985353e87c8710bdcdcf1856b0a6c63961317
    • SHA256: bb479145b44f169c301c21425f78742d8cacd9fd9ef4543c2a5e39ab540f769e
    • SHA512: 47ddbd601d008e9cb7309b328d36df95f901d1935593ded61e70cef22dc1312257266e056e5ea9d214babfd47a0aeb9560e9d11a5abb8d68a244f442467c41854a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.6 or lower:

  • Download and use the full 1.8.8 Release Package
    • MD5: 2e09c9fd3b2416ac3fea9bada18d61e5
    • SHA1: 2b8469cb42c3a66ec7e3253aa0cced464585d3dd
    • SHA256: e63bd3ce5b8a7c4166102baa75f0aab1d12fc64379658a027d8bf49a437a469a
    • SHA512: 8dec5923737b11deae578ed02f259acda01ca5bcc9032bc01df1e2d77ce36c54f87e66e42850460c8ea07515d99d4b5da4a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

This update includes security fixes that may need your attention:

  • Additional rules disallowing access to the database backups directory (admin/backups/) were added to htaccess.txt and htaccess-nginx.txt, addressing a security issue affecting Windows installations – remember to update your configuration files.
  • $config['disallowed_remote_hosts'] and $config['disallowed_remote_addresses'] variables, containing default loopback hosts and IPv4 addresses, were added to the inc/config.php file, addressing a SSRF vulnerability – remember to update your configuration files and, if applicable, add further hosts and/or addresses that MyBB shouldn’t attempt to access.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.8

MyBB Merge System 1.8.8 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.7, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 5 bug fixes (View all)
  • Preliminary support for merges from vBulletin 5 installations. This module hasn’t had a lot of testing, so please report back with how vBulletin 5 merges go and always test your merge on a local machine first.

Important note

This will be the last release of the Merge System 1.8. We’re instead concentrating development efforts on MyBB 2.0 and a brand new Merge System to accompany it – please stay tuned for more news on the new merge system!

Thanks,

MyBB Team

Project Updates October 2016

Recently we have made a number of notable changes to the community and MyBB website. We’d like to share with you what we’ve done and how you can get involved.

RFC Process and transparency policy

For over a year now, the MyBB Team has been using an internal Request For Comments process as a decision making mechanism for issues with high impact on the Project’s present and future as well as a mean of assuring team-wide consensus on matters related to its organization and development. Recently we have decided to start publishing our RFC documents, putting us closer to the goal of maximum transparency. Accordingly, solid plans, workflows and protocols explaining what exactly happens behind the scenes will be posted on our websites as they emerge to enable external feedback and simplify the process of Team onboarding.

You can find all RFC documents that were cleared for disclosure in a dedicated section on MyBB.com.

Code of Conduct in force

As previously announced, we have joined an impressive group of open source projects you may already have heard of by adopting a Code of Conduct provided by the Contributor Covenant. This addition allows us to centralize rules and guidelines that apply in our development and community ecosystems in order to assure professional and inviting environment for everyone interested in getting involved. You can find the new document on our website.

Moving to Discord from IRC

The MyBB IRC channel over at freenode has not been bustling with activity for a while despite several attempts to bring it to life, so internally we discussed and tested alternatives to IRC. Looking for something that is easier for the whole community to engage with, we circled in Discord, which fulfills our needs for accessibility and moderation features. We invited the community to help us during the testing phase and are grateful for those that did – you can already find many members of the MyBB Team on Discord in addition to other valued members of our Community.

While the adoption of the platform appears to be successful, we’ve decided to continue maintaining our IRC presence at #mybb and registered a freenode group to gain more control over our channels. In order to keep the chit-chat uniform, we plan to connect it to Discord using a bot that forwards messages both ways from the IRC channel to its counterpart on Discord — this will assure that no question will go unnoticed.

We’ll see you there!

Join the conversation →

Up Next: Updates to Extend MyBB

While not ready to go live just yet, we are excited to share an update on something Justin, our lead designer, has been working on for the past few weeks: a major visual update to the Extend MyBB platform, commonly known as the MyBB Mods site.

The visual update touches all public-facing aspects of Extend MyBB, simplifying navigation and making its interface easier to use while maintaining existing features. There’s still some more work to do before it’s ready to launch, but we’re sure you’ll love it.

Shuttering of the 2.0 host compatibility repository

Not long ago, we started a new project to gather information about the PHP versions that various web hosts support. The aim of this project was to gather a list of web hosting companies who would be able to host the upcoming MyBB 2.0 release.

Since starting that project, we have received several contributions. However, we’ve also since changed the PHP version requirements that we will require for 2.0. As such, we are closing the mybb/2.0-Hosts repository and instead asking that users please make use of the PHP Versions website to track the PHP versions on offer at different hosts. This website operates in a similar way to the old MyBB project, but is much more widely used and already contains information for lots of different hosts. For more information on contribution to the PHP Versions website, please see the contributing guide.

MyBB 1.8.7 & Merge System 1.8.7 Release

MyBB 1.8.7 – Security & Maintenance Release

MyBB 1.8.7 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 13 security vulnerabilities and 83 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Possible SQL Injection in moderation tool – reported by jamslater
    • Low risk: Missing permission check in newreply.php – reported by StefanT
    • Low risk: Possible XSS Injection on login – reported by Devilshakerz
    • Low risk: Possible XSS Injection in member validation – reported by Tim Coen
    • Low risk: Possible XSS Injection in User CP – reported by Tim Coen
    • Low risk: Possible XSS Injection in Mod CP logs – reported by Starpaul20
    • Low risk: Possible XSS Injection when editing users in Mod CP – reported by Tim Coen
    • Low risk: Possible XSS Injection when pruning logs in ACP – reported by Devilshakerz
    • Low risk: Possibility of retrieving database details through templates – reported by Tim Coen
    • Low risk: Disclosure of ACP path when sending mails from ACP – reported by sarisisop
    • Low risk: Low adminsid & sid entropy – reported by Devilshakerz
    • Low risk: Clickjacking in ACP – reported by DingjieYang
    • Low risk: Missing directory listing protection in upload directories – reported by Tim Coen

Please view the 1.8.7 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.6 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 15 language files and 41 templates were changed or added.

If you’re using MyBB 1.8.6:

If you’re using MyBB 1.8.5 or lower:

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.7

MyBB Merge System 1.8.7 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.6, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

Thanks,

MyBB Team

Note about updated packages

The original packages have been replaced by updated packages to fix minor compatibility issues with PHP 5.2 and PostgreSQL and to fix issues with font MyCode and search functionality.

If you installed or updated your forums using either the full or changed files packages prior to 19:00 p.m. on March 25, 2016 GMT please download a fresh package from the links above and replace the following files:

  • inc/cachehandlers/apc.php
  • inc/cachehandlers/eaccelerator.php
  • inc/cachehandlers/interface.php
  • inc/cachehandlers/memcache.php
  • inc/cachehandlers/memcached.php
  • inc/cachehandlers/xcache.php
  • inc/class_parser.php
  • install/resources/upgrade35.php
  • search.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB Seeking Your Help – Open Staff Positions

Hi,

We currently have some open positions on the MyBB Team, especially in SQA. If you’re interested in becoming a part of the team, we’d like to hear from you.

Please note that all positions are on a volunteer basis, you’re under no obligation to stay with the MyBB Group if you have other commitments that need attending.

Requirements

Development

Continued contribution to the quality of either the 1.x or 2.x series, including:

  • Good MyBB and PHP (OOP)/MySQL/JS (jQuery) and/or HTML/CSS knowledge
  • Basic understanding of testing and git/GitHub
  • Laravel familiarity for 2.x development would be welcome
  • At least several qualitative contributions to our GitHub repositories/mods site and/or external GitHub repositories and/or external GitHub repositories (themes if you’re a designer, plugins/code changes if you’re a programmer)
  • Good communication skills in English

Support

Continued support on our forums:

  • Good MyBB/CSS/HTML knowledge, MySQL/PHP/JS (jQuery) knowledge would also be welcome
  • At least 50-100 high-quality support posts
  • Adequate patience when helping inexperienced forum admins
  • Good communication skills in English

Quality Assurance

Continued contribution to the quality of either the 1.x or 2.x series, including:

  • Good MyBB/MyBB plugins/PHP (OOP)/MySQL/JS (jQuery) knowledge
  • Ability to detect and confirm vulnerabilities
  • Basic understanding of testing and git/GitHub
  • Good communication skills in English

How to Apply

All applications should be submitted in the Private Inquiries section: http://community.mybb.com/forum-135.html

Please include the position you’re applying for, background information on yourself, information on your knowledge of MyBB, PHP, MySQL and JavaScript, if necessary, your experience/works and any other information you wish to include.

We will aim to reply to all applications but if you don’t receive a reply, no – we haven’t forgotten about you, it’s just that there are usually too many applications to individually reply to each one. Private messages containing applications/team position queries will be ignored.

Thank you,
MyBB Team

MyBB 2.0 Repositories Are Finally Public

Yep, you read that right. The MyBB 2.0 repositories are finally open to the public for browsing and contribution. The repositories we are opening are:

  • mybb/mybb2 – the core of MyBB 2.0, based on a Laravel skeleton template. This repository contains the core forum and is where the majority of work happens. The overall structure of this repository will be changing through the New Year to make deployment easier on shared hosts and other setups.
  • mybb/Auth – a modified authentication package for MyBB 2.0. This is based around the Laravel 5.0 Auth package, and is about to receive a major overhaul to make use of the Laravel 5.1 and 5.2 authentication changes.
  • mybb/Parser – the core post parser for MyBB 2.0. The majority of the parsing logic has simply been imported from MyBB 1.x in the current incarnation in order to get a working parser implementation. The future plans for this repository include adding further unit tests and refactoring the BBCode/MyCode parsing to use a proper parser/lexer rather than a large jumble of regular expressions.
  • mybb/Settings – the core settings system of MyBB 2.0. This package provides both site-wide and user settings and can easily be used for other projects and plugins. Settings are split into “packages”, with “mybb/core” being the core MyBB package. Further documentation and details will be explained about this package in an upcoming development post.

Browsing these repositories should make it fairly clear that while MyBB 2.0 has had a good start so far, it is still far from done. Original plans were to have an Alpha release available by the end of 2015, but these plans have unfortunately not come to fruition. It is our hope that making these repositories public will bring more contributions, suggestions and feedback from you the community.

For now we are simply opening these repositories, but over the New Year and Christmas holidays we will be documenting our code formatting, contribution guidelines and our roadmap and plans for MyBB 2.0 more fully in the MyBB 2.0 Planned Features forum. Rather than blogging about each of these, we will be writing topics that will be stuck to that forum to provide guidelines about our expectations.

We also plan to keep up our (recently lacking) development blog posts which will cover the usage of the components we are open sourcing as well as other components that will be created in the future. Future components and progress will be developed fully in the open, utilising our new BSD-3 licence.

As a closing note, MyBB 2 is in no way stable yet and should not be used on a live forum at all right now. Open sourcing these repositories is aimed primarily at developers and experienced administrators wanting to provide input and feedback on the future direction of MyBB. No support will be provided for any of the code in these repositories until we reach a Beta release.

We wish all of our users a happy holiday season,

The MyBB team

Support for MyBB 1.6.x has ended

Following the recent postponement, the official support for the MyBB 1.6 series has ended as of 1st October 2015.

The 1.6 Support forums have been archived and we will no longer provide assistance regarding the 1.6 series (that does not include the 1.8 upgrading process).

No further maintenance and security releases or updates will be provided for that branch.

We strongly recommend all users who still operate 1.6 boards to upgrade them as soon as possible. Detailed information on performing upgrades can be found in our upgrade instructions. The MyBB Team and the Community can provide further advice on our support forums.

2.0 Dev Post #6

It’s that time again, time for another MyBB 2.0 dev blog! This post is the sixth in a series of development update posts regarding MyBB 2.0. Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software. We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will take a slightly different approach to previous posts by focusing on a single aspect of 2.0 in slightly more detail, namely the new responsive styling. Continue reading