Designing MyBB 1.9’s Installer

Posted on by

One key to keeping software projects and the surrounding communities healthy is keeping friction for all audiences to a minimum.

In MyBB, this friction is derivative of user experience and developer experience. Our largest audience is formed by the end users — people browsing online forums, not expected to know what MyBB is, yet benefitting from fine-tuned visuals, phrases, and flows that come out-of-the-box. At the same time, we target two groups further down the forum assembly line, for whom both UX and DX apply.

For site owners and community leaders, the software needs to be approachable and intuitive — without requiring particular knowledge of languages and technologies — but also allow tweaking its look and functionality by maintainers with technical experience.

For developers, in addition to a useful extension system, APIs, and documentation, the software needs to expose the appropriate tools to allow speedy development and testing — without assuming one’s familiarity with it.

These factors are crucial in the world of free and open-source software, where the development relies on external contributors and their ease of work.

A setup mechanism is where their paths cross: it has to break down unavoidable complexity, without getting in expert users’ way. Besides having to meet best UX and DX practices, it also carries the weight of defining the first impression of the product for everyone.

The Need for Speed

kawaii — 2:56 PM

I wonder how many of the PostgreSQL installs are me with my Docker stack

People who work with, and on MyBB, install it a lot. To comfortably test new code and eliminate bugs in the core and extensions, their setup should require minimal time and attention better spent on the task at hand.

The existing installation experience left much to be desired — among others, the old installer:

A screenshot of the Table Creation page displayed during the installation of MyBB 1.8, with an unnecessarily long list of names of created tables.
              • is strictly synchronous and static, making users alternate between waiting and filling out forms,
              • asks for information that’s either nonessential (e.g. a website URL for the optionally displayed link), or derived (e.g. cookie settings that can be deduced from the forum URL),
              • contains technical details of little to no relevance, which also makes it more difficult to navigate,
              • loads pages only for the user to press Next, instead of proceeding automatically,
              • offers no shortcuts for quick setup for testing or development, and
              • can’t be scripted or automated.

The special part of the application accessed through install/ was largely self-contained and separate from the rest, offering a good target for improvements parallel to other work on the 1.9 series.

In this post, we share how the system was disassembled, redesigned, and rebuilt.

Continue reading

MyBB 1.8.33 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.33 is now available, and is a security & maintenance release.

This version improves cache system stability, and compatibility with PostgreSQL (PDO) and recent PHP versions.

  • 1 security vulnerability addressed:

    • High risk: ACP Languages local file inclusion (advisory) — reported by yelang123 (Stealien), NGA (Stealien)
  • 8 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.32 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.32 is now available, and is a security & maintenance release.

This version addresses reported security problems and updates SCEditor to the latest version.

  • 3 security vulnerabilities addressed:

    • High risk: Visual editor persistent XSS (advisory) — reported by Aleksey Solovev (Positive Technologies)
    • Medium risk: ACP Users SQL injection (advisory) — reported by Aleksey Solovev (Positive Technologies)
    • Low risk: Attachment upload XSS (advisory) — reported by Aleksey Solovev (Positive Technologies)
  • 1 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.31 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.31 is now available, and is a security & maintenance release.

This version resolves discovered bugs and regressions, and improves compatibility with database engines and recent PHP versions.

Please note that the value of Additional Parameters for PHP’s mail() (Mail Settings) now only takes effect when saved in the Configuration File.

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.30 Released — Security Release

Posted on by

MyBB 1.8.30 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: ACP Settings management RCE (advisory) — reported by Cillian Collins / Trend Micro Zero Day Initiative

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.29 Released — Security Release

Posted on by

MyBB 1.8.29 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: ACP Settings management RCE (advisory) — reported by Xiangwen (Evan) Yu

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.28 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.28 is now available, and is a security & maintenance release.

This version resolves discovered bugs and regressions, and addresses known PHP 8 compatibility problems.

This version enables validation of HTML code generated by the MyCode parser — check the Documentation page and previous announcement for more details.

  • 1 security vulnerability addressed:

    • Medium risk: ACP Template Name XSS (advisory) — reported by Andrey Stoykov
  • 28 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

1.8’s CAPTCHA Bug, Parser Validation, and PHP Compatibility

Posted on by

As we stabilize the 1.8 branch for future support with development eventually switching focus to 1.9, we’d like to draw your attention to the following advisories.

CAPTCHA Bug

Version 1.8.27 has introduced a bug affecting two of MyBB’s supported CAPTCHA mechanisms: reCAPTCHA v3 and hCaptcha invisible. For those, the CAPTCHA may appear broken, and the verification can reject or accept attempts incorrectly.

If your forum uses those systems, we advise to either:

  • temporarily switch to another mechanism using the CAPTCHA Images for Registration & Posting setting (ACP: Configuration → Settings → General Configuration), or
  • applying the upcoming changes to source code files manually.

This problem will be resolved in the next maintenance release.

Parser Output Validation

The upcoming maintenance release enforces validation of XHTML code generated by the MyCode parser in order to improve security.

MyBB 1.8.27 included this feature in report-only mode, meaning that any problems are already being saved to the configured error log. After upgrading, validation errors will continue to be logged, but messages with problematic MyCode will not be displayed to prevent potential XSS attacks against your forums.

Forum administrators should verify that their error logging is configured properly, and monitor the log for errors that may indicate necessary changes to their customizations like custom MyCodes, theme templates, username styles, and plugins. These errors can be triggered when forum content that uses MyCode is viewed.

We created a relevant Docs section that details pinpointing the origin, debugging using a dedicated tool, and disabling the validation requirement for boards that are not yet ready for this change.

Examples of Fixed Validation Errors

To help demonstrate what actions may need to be taken, let’s take a look at some validation failures that turned up so far:

  • Case 1: Attributes Without Value in Default Templates

    MyBB’s default theme included HTML attributes without values. These caused validation errors such as:

    • Specification mandates value for attribute
    • attributes construct error

    To fix this, we simply added ="true" fragments where needed.

  • Case 2: Redundant Tags in Username Style

    In a support thread, unnecessary HTML in a customized username style, present in a forum post, resulted in a logged failure that mentioned:

    • Opening and ending tag mismatch

    • Extra content at the end of the document

    This could be resolved by cleaning up the HTML code in the Username Style field for the problematic user group by removing stray closing tags.

  • Case 3: Self-Closing Tags in Custom MyCode

    In another support thread, a custom MyCode included an unclosed <hr> HTML tag, which resulted in a validation failure that mentioned:

    • Opening and ending tag mismatch

    • EndTag: '</' not found

    For correct XHTML validation, tags that don't have an equivalent closing tag should include a forward slash: <hr />.

  • Case 4: Invalid Placeholder Format

    A plugin that inserted invisible markers in the <example#0> format resulted in errors referring to attribute parsing and missing end tags. This format was changed to <example id="0" /> to pass the validation.

If you have trouble resolving validation failures, visit our support platforms and include the full logged error.

PHP Compatibility

MyBB aims to support most recent versions of web browsers, servers, database systems, and PHP interpreters. Due to significant changes in PHP 8.0, however, we recommended using PHP up to 7.4 while the code was being adjusted.

The upcoming MyBB release includes another batch of such adjustments, and removes some unnecessary side-effects of version-related PHP Warnings. We also pay attention to PHP 8.1, which is not expected to cause major problems after these updates.

Even though more issues may still be discovered when running MyBB on latest versions of PHP, we encourage administrators and extension developers to verify the stability of their forums and extensions on PHP 8, and to watch out for any errors that may appear in the error log, starting with the next maintenance release. Numerous web hosts already support switching to PHP 8.0, and MyBB can easily be tested locally using Docker.

Any suspected issues related to compatibility, as usual, can be reported on our support platforms.

MyBB 1.8.27 Released — Maintenance Release

Posted on by

MyBB 1.8.27 is now available, and is a maintenance release.

This version i.a. enhances the attachments UX, brings pagination to more ACP pages, adds better thread view counting options, and improves performance and stability.

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

Looking to the Future

Posted on by

As we near the release of MyBB 1.8.27, we’re starting to look towards the future of the Project and where we’re headed. In this post, we’ll lay out our plans going forward.

1.8.27 Is a Big Release

The upcoming 1.8 maintenance release is shaping up to be the second biggest in the series, with over a hundred Issues already resolved.

Among others, we have changes to how the mail queue is processed, the addition of some new PDO based database drivers for MySQL and PostgreSQL, some additional plugin hooks, pagination added to some ACP modules, an alteration to exclude bots and spiders from increasing thread view counts, enhanced the attachments upload user experience, and much more!

We’ve also added some other quality of life enhancements behind the scenes, such as some automated tools to check PHP syntax for all Pull Requests and Commits to the GitHub repository and some improvements to our support for PHP 8.0.

The release has been a long time coming, but it’s now just around the corner. I’d like to take this opportunity to thank all of our wonderful contributors, and to ask a favour: if you can, please test the current code as much as you can! We want to make sure that 1.8.27 is a rock solid release. As usual, once the final Pull Requests are merged, you will find a pre-release thread in the 1.8 Development forum.

The Future of 1.8

With 1.8.27 being such a large release, we’ve been thinking about the future of where MyBB is headed.

As such, we’ve decided that MyBB 1.8.27 will be the last major release of MyBB 1.8.

From this point forwards, the 1.8 series shall only receive security fixes and bug fixes for critical bugs that break core functionality.

The reasoning for this change is simple: we need to focus all of our limited resources on one single task – namely, getting MyBB 1.9 released.

MyBB 1.9

MyBB 1.9 is something we’ve been talking about for a long time (too long, a lot of us would say).

We’ve been working on it side-by-side along with supporting the MyBB 1.8 series, which has unfortunately meant the new release has only had limited attention paid to it.

With 1.8.27 being the last big 1.8 series version, all attention will now be turned to 1.9. There will be a freeze made to the merging of any Pull Requests to the project for a period of roughly two weeks in order to finalise the rebase of MyBB 1.9 to incorporate all of the changes present in 1.8.27.

Once this is complete, attention will turn to the following tasks:

  • Scrutinising all new templates to ensure that all changes made to 1.8 in recent releases are reflected in the new templates.
  • Tracking down any remaining usages of the old $templates based code for templates.
  • Writing the ACP management module for the new template system.

Once these tasks are complete, we’ll be at the stage of beginning testing the release in full. At that point, we’ll put a demo install online for everybody to play with, which will reset every day at midnight. This should give everybody a chance to help us debug the release and polish it up.

An Apology and a Thanks

On a final personal note, I’d like to apologise to the Community for the severe lack of progress with the Project and communication from us.

When I joined, forums were booming and MyBB in particular was abuzz with activity. We had a large bustling Team with members from all over the world contributing many changes and improvements. I’ve watched the Project go from MyBB 1.2 to 1.4; from 1.4 to 1.6 and 1.6 to 1.8. Over that time, things have changed a lot! The rise of social media and smartphones have changed the landscape of internet communities significantly.

Unfortunately, with these changes we’ve seen quite a decline in the progress we’ve made with the Project recently. I wish we had an easy fix to this and we could go back to the activity levels that we’ve seen before, and if anybody has any concrete ideas we’d be very happy to hear them in a constructive manner.

I’d like to take the opportunity to thank everybody who has stuck with us over the years and contributed in any way — be it via financial support on OpenCollective; via bug reports; via Pull Requests; via providing support to other members of the Community; or via any other means. Without you, MyBB simply would not exist.