Monthly Archives: December 2016

MyBB 1.8.9 Released – Security & Maintenance Release

Posted on by

MyBB 1.8.9 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 1 security vulnerability and 52 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Low risk: CSRF issue when removing subscriptions – reported by Devilshakerz

Please view the 1.8.9 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.8 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 18 language files and 85 templates were changed or added.

If you’re using MyBB 1.8.8:

  • Download and use the Changed Files Package
    • MD5: cd4f736ef9c3b20136203350468ad23d
    • SHA1: 3208c50d35aacc9d51d195de8ccc33aed1e3b1c6
    • SHA256: c153236148457ae1ea2a62b8c7c15a11a093ab436ae6ea416c8cf9ca2bf53687
    • SHA512: 1e16aeae125a1e2edf966866d53c51ce9b5d7568214c6244efc4976d4af16186e3f9f10f8eafbd5f5de3210a1fada6635fea7c97bb09afe3d1c9bf3e368bfa3d
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.7 or lower:

  • Download and use the full 1.8.9 Release Package
    • MD5: b1a8fbdb4d8a888f7757be14cd658662
    • SHA1: d30f95de2e2142a46e4a34e0d26a8d3f5762cb22
    • SHA256: cc4a015edb96b587a74b3d54c00bf2ecd4be6ff2efec8b24caae90c538b42e89
    • SHA512: b18ffd2797f2f6fc775fda7b47c6d4b63d36f0e8c57ee1ce6797de8e600f741df2cc1bce713723b12d2374e723289641ab3a10248f5ba53672f5765bed836056
  • Follow the Docs Upgrading Instructions

To update existing themes the following CSS code needs to be added to global.css:

.deleted_post_hidden {
	border-top: 2px solid #ccc;
	padding: 15px;
}

.deleted_post_collapsed {
	border-top: 3px solid #333;
	padding: 15px;
}

.deleted_post_collapsed .show_deleted_post {
	margin-top: -15px;
}

.deleted_post_collapsed .show_deleted_post a.button span {
	background-position: 0 -400px;
}

Note: JavaScript-related bugs discovered
We have found that some JavaScript-based functions (like the inline moderation) may not work properly under MyBB 1.8.9. Please refer to the Community thread for detailed instructions on how to patch the code while we prepare a fixed package.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Securing your MyBB forums with HTTPS

Posted on by

The Web has been using encrypted WWW connections for over two decades now. First used by entities processing critical information on the Internet like banks and online shops, https:// is progressively becoming the protocol an everyday user would expect as of 2016: the Google Transparency Report shows that the average number of page loads over HTTPS has exceeded 50%, similarly to telemetry data trends from Mozilla, aided by Let’s Encrypt, a new certificate authority issuing free certificates since April.

With the dependency on Internet communications heavier than ever, simple and common mistakes often result in leaks and breaches that endanger not only the security or integrity of services, but also the privacy of their users: passwords, real names, locations, e-mail and IP addresses, browsing patterns and other personally identifiable information. Even static websites receive such data and the argument of not expecting to process sensitive information is not valid.

TLS has exactly one performance problem: it is not used widely enough.
Everything else can be optimized.

The range of possible attacks on unsecured websites is broad and you may not always be aware of the risks of providing and using websites using the unencrypted version of HTTP. Simply launching a rogue Wi-Fi hotspot in a public place can allow anyone to intercept raw traffic without much hassle. Similarly, Internet service providers and mobile network operators can allow governments to put their hands (however tiny they might be — the governments, of course) on your data regardless of intent or permissions, be forced to do so by the law or have their communications eavesdropped by passive interception of traffic.

Besides protecting services and people, upgrading the protocol has many upsides — the new HTTP/2, increasing the speed of web connections, is available only when used with encryption; using HTTPS, Google will prioritize your website in the search results. Encrypted transmissions mean that nobody will be able to manipulate your pages to inject malware or own ads, which is often the case with public access points or airplane connections. In order to push the adoption of encryption, major browsers will start notifying users of the dangers resulting from using unsecured websites. MyBB is proud to support this movement of creating a faster and safer web.

Chrome for Android UI's HTTPS indication

Secure connection to the Community forums — so claims Chrome for Android

The HTTPS setup tools are being constantly improved and the process is getting easier and faster, moreover you can find numerous guides and tutorials for different platforms and scripts. What’s been missing though, is a list of steps specific to MyBB because not every board administrator is experienced enough to make use of instructions that are either very generalized or very specific — for scripts other than ours.
Having jumped into the rabbit hole of technical details of securing our project’s websites and climbed back (which we’ll shed light on soon!), we created a comprehensive guidebook on enabling HTTPS that covers the most vital aspects of securing boards you manage.
We strongly recommend all webmasters and administrators upgrade their installations if they’re not running on HTTPS yet as soon as possible and encourage to consider the security and privacy of their users with utmost importance: every secured location makes a difference in today’s interconnected web.

Setting up HTTPS — MyBB Documentation →