MyBB 1.8.19 Released — Security & Maintenance Release

MyBB 1.8.19 is now available, and is a security & maintenance release.

This update includes improved compatibility with PostgreSQL and resolves regressions from previous versions. Administrators may need to update CSS code in global.css for customized themes.

  • 4 security vulnerabilities addressed:

    • High risk: Email field SQL Injection — reported by StefanT
    • Medium risk: Video MyCode Persistent XSS in Visual Editor — reported by Numan OZDEMIR of InfinitumIT
    • Low risk: Insufficient permission check in User CP’s attachment management — reported by StefanT
    • Low risk: Insufficient email address verification — reported by StefanT
  • 8 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

Blueprinting Automatic Updates for PHP Applications

Keeping MyBB boards secure is a team effort. Security issues discovered and reported by external researchers and our core developers are analysed, fixed and included in final packages. The process doesn’t end there however: it is essential that administrators are notified to update their forums as soon as possible in order to prevent the addressed vulnerabilities from being exploited in an attack on their boards and users.

Learn More

Our recently published summaries, recommendations and links to reviewed guides in the SECURITY.md file contain many resources forum administrators can use to secure their boards against both opportunist and experienced digital criminals. First and foremost though, we always recommend that users keep their MyBB installs up to date. We also suggest using the new subscription feature for all used plugins and themes on Extend.

Based on our experience, even large discussion boards that don’t have dedicated technicians tend to use outdated versions of MyBB and the situation in the area of extensions might be equally concerning. Not unlike other software, periodical updates are the main method of delivery for security patches — most MyBB releases contain fixes plugging security holes ranging from theoretical risks to critical vulnerabilities.

Issues Addressed in MyBB 1.8.x by Version

The need for continuous response to vulnerability reports is a strong argument for making the reduction of manual effort needed to keep our packages up to date a long-term goal.

In this post we’ll explore what keeps our developers up at night that also affects MyBB’s ability to introduce automated updates, and how the mechanism might be actually implemented once the system — currently being rebuilt for version 1.9 and subsequent branches — is ready.

Continue reading

MyBB 1.8.18 Released — Security & Maintenance Release

MyBB 1.8.18 is now available, and is a security & maintenance release.

Changes include added support for Mixer videos and multi-file attachments, modified Word Filter behavior, fixes to the mailing queue and improved compatibility with SQLite and MySQL 8. Theme CSS changes may be required and administrators may need to review Word Filters.

  • 2 security vulnerabilities addressed:

    • High risk: Image MyCode “alt” attribute persistent XSS — reported by Punisher_HF
    • Medium risk: RSS Atom 1.0 item title persistent XSS — reported by 0xB9
  • 30 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.16 Released — Security & Maintenance Release

MyBB 1.8.16 is now available, and is a security & maintenance release.

This update includes compatibility fixes for database engines and recent PHP versions as well as performance and global security improvements. Note that the theme’s CSS files may need to be updated. If you use the login_attempt_check() function, note that its signature has changed.

 

  • 6 security vulnerabilities addressed:
    • High risk: Image & URL MyCode Persistent XSS — reported by Punisher_HF
    • Medium risk: Multipage Reflected XSS — reported by Dimaz Arno of Ethic Ninja
    • Low risk: ACP logs XSS — reported by Cillian Collins
    • Low risk: Arbitrary file deletion via ACP’s Settings — reported by Devilshakerz of MyBB Team
    • Low risk: Login CSRF — reported by Cillian Collins
    • Low risk: Non-video content embedding via Video MyCode — reported by Punisher_HF
  • 66 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

 

Issues on Upgrade?

 

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

Building software packages with Docker and Phing

Every meaningful set of development activity in open-source projects like MyBB is followed by an official release that merges in additional lines of production, like security updates, and wraps it up with descriptions and instructions easy to understand for non-developers and site maintainers. Currently the most popular way of distributing updates to PHP-based software is file packages: project managers have to scramble to gather and bundle all files and associated documentation while site administrators are expected to keep track of (and sometimes interpret) this information.

This, to convenience of site administrators and ours, is planned to improve upon adoption of concepts like continuous integration that put emphasis on making all products deployable after every change to the code, and the integration of tools like Composer, which ease the pains of managing third-party solutions and allow to separate one big product into small, handy modules. Even though conveniences like fully automated updates will take time to become reality with informal open-source projects (where the technicalities are much easier to implement than procedures that provide a reasonable level of security), MyBB moves closer to that with eliminating manual tasks covering a broad range of activities that precede each release—the last 4 versions of MyBB (starting with 1.8.12) have been build using the recently published package builder.

The MyBB build repository

Rewriting Memos in XML & PHP

The core part of the builder’s logic is Phing, an Apache Ant-based PHP task build system. This engine enables developers to specify operations related i.a. to git & patch (extensively used to apply sensitive patches before the release), file encoding and archiving saved in an XML build file. It’s also used to call sub-scripts that list changed files and calculate archive size and checksums, but also perform some project-specific operations like counting modified language files, searching for templates that changed between versions or update plugin hook locations with line number precision. Since the Jekyll-powered MyBB.com website is generated from Markdown & Front Matter data files, the builder also prepares the version’s YaML metadata ready to be put into the repository allowing Release Notes and the Release Blog Post content to be generated.

You Want to Run it on What?

Another important role plays Docker, a platform introducing container systems. You might recognize it from the recently put out image recipe that can be used to deploy MyBB 1.8, however this environment is also used whenever packages need to be assembled. No matter who, where or when participates in the building process, they should be able to use the same precisely defined tools—by running the script inside a container we can assure a degree of confidence in that, given the separation from the host operating system. Our Docker image, based on a trimmed down version of Debian, contains an unsuspicious development toolset including basic packages and a PHP interpreter with customized configuration and the strip-nondeterminism tool that normalizes the output to make it possible to arrive with byte-to-byte equal archives identified by matching checksums. This practice is called build reproducibility which will serve as a vital part in download verification.

Real output (with real git errors) when building MyBB 1.8.15 packages

Visit the mybb/mybb-build repository to set up own production line basing on our code and compare against the latest MyBB release packages (starting with 1.8.15, releases on GitHub include a build package with input necessary to reproduce the output).

The MyBB build repository

Automated packaging does not only leave more time for other aspects of running large-scale projects, but also assures that every update is brought to users without potential mistakes that could have been made otherwise with manual assembling. Furthermore, whenever mistakes are spotted, the archives can be quickly rebuilt and pushed out—less emphasis will be put on singular releases and more on their continuous delivery with seamless upgrades that MyBB will be working on.

MyBB 1.8.15 Released — Security & Maintenance Release

MyBB 1.8.15 is now available, and is a security & maintenance release.

This update includes compatibility improvements for PostgreSQL and recent PHP versions as well as minor optimizations.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.14 Released — Security & Maintenance Release

MyBB 1.8.14 is now available, and is a security & maintenance release.

This update applies security patches and fixes minor issues related to the upgrade script included in the previous version.

  • 2 security vulnerabilities addressed:

    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 2 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.13 Released — Security & Maintenance Release

MyBB 1.8.13 is now available, and is a security & maintenance release.

This update includes fixes related to compatibility with PostgreSQL, SQLite and PHP 7.2 and resolves attachment HTML output problems. Note that the theme’s CSS files may need to be updated. Please see this post on the community forum for more information.

  • 7 security vulnerabilities addressed:
    • High risk: Installer RCE on configuration file write — reported by pabstersac
    • High risk: Language file headers RCE — reported by Julian Rittweger
    • Medium risk: Installer XSS — reported by pabstersac
    • Medium risk: Mod CP Edit Profile XSS — reported by Julian Rittweger
    • Low risk: Insufficient moderator permission check in delayed moderation tools — reported by Starpaul20 of MyBB Team
    • Low risk: Announcements HTML filter bypass
    • Low risk: Language Pack Properties XSS — reported by Julian Rittweger
  • 62 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.

If you would like to contribute to the Project, Get Involved.

Thanks,

MyBB Team

Organizational changes in the MyBB Project

As the MyBB 2.0 development gains traction again — a joint effort of the Team and our technical Community — we are passing an important milestone in the area of the Project’s organization. Entirely new concepts, de-facto standards and unspoken rules, either improving the fluency within the Team or aimed at increasing MyBB’s maturity (and sometimes both), are being continuously brainstormed. We would like to share our progress so far in areas we are confident about.

PSR standards conformance from MyBB 2.0

World Standards Day / International standards day is celebrated internationally each year on 14 October. […] The United States held a 2014 U.S. Celebration […] on 23 October […].

Currently our coding standards are rather specific when compared to other projects in the PHP Community, and may be perceived unnatural (exhibit A: 1.8 development standards) — starting from 2.0, MyBB’s source will be fully conformant with PSR standards. While this means that we will be inevitably choosing a standardized side in one of the greatest arguments in the history of programming, which we have been avoiding for some time (exhibit B: 2.0 Dev Post #5), this decision will assure that our code preserves compatibility of coding style with other PHP projects and frameworks. This should lessen the confusion in Pull Requests and allow new contributors to adapt more easily.

Secure connections to *.mybb.com websites

A simple visit to any of our websites involves many platforms and servers: by connecting to our Documentation on docs.mybb.com, your requests go through our reverse proxy (currently provided by CloudFlare) to hit our Jekyll-powered website hosted on GitHub Pages from the Docs repository, whereas requests to the Blog you are reading this article on go to WordPress.com platform servers instead after following a similar path. Spreading our web presence in such decentralized manner has great advantages with independent availability being the most significant one, however maintaining them all becomes more complicated and introduces security risks with each addition.

In order to aid that, we have launched efforts to start enforcing HTTPS traffic to our websites and inserting security-related HTTP headers — although we don’t control external servers, we were able to set up the most important redirects and directives using the reverse proxy; these changes, combined with Subresource Integrity hashes for external content served on mybb.com and docs.mybb.com, provide a reasonable level of security given access limitations for any project that decides to set up their infrastructure in this fashion. If you happen to randomly browse the Chromium source code, you will discover that the mybb.com domain is now present on the HSTS preload list, making derived browsers enforce HTTPS upon first visit out of the box, helping our case a great deal.

Having control over the server hosting the Community forums and download Resources, we set up additional security headers that are now sent to the browser from both locations and our MyBB installation to serve cookies with the Secure flag, a feature shipped with MyBB 1.8.10. By using a MyBB plugin with a Node.js proxy server, external resources on our forums are now being delivered to users over a secure connection, resolving the issue of insecure content and enhancing their privacy by eliminating the necessity of downloading data directly from third party servers. Even when either one breaks, the Content-Security-Policy header will prevent insecure content from being loaded (the next major version of MyBB will make it possible to include all common security headers, as we will be aiming to eliminate obstacles like inline JavaScript).

You can take a closer look at the gritty details of our current setup here and here.

Team members’ PGP keys now available

The transition of our development process, now headed towards MyBB 2.0, largely impacts the organizational matters of the Project itself — one of recent preparations for an improved release management protocol that are easy to spot is the rollout of PGP keys that can be used to contact Team members, if you have a feeling that your messages sometimes have more recipients than they should (or if you’d rather be safe than sorry and use it out of principle, like we do). These can be found on our refurbished Team page that now also links accounts on social media, acting as backup channels of communication.

Packages integrity and authenticity measures

While keys and fingerprints present themselves excellent on our website, they won’t be used (only) for aesthetic purposes: we will start signing MyBB releases. Designated Team members will be able to submit a public key that will be added an announced on our website and and social media feeds for transparency purposes.
Further, while the hashing algorithm used for internal file verification and passwords in MyBB 1.8 is weak in today’s standards due to the codebase’s age, there is a lot of room for improvement when it comes to verifying the packages. If you’ve been paying attention to the release notes, you’ve probably noticed that we started publishing additional, stronger checksums for each release package as of MyBB 1.8.8. These actions are intended to provide webmasters with a degree of confidence when it comes to integrity of MyBB packages while still maintaining focus on the development of MyBB 2.

Vulnerability assessment with CVSS v3

We always have been trying to provide as much information as we could when it came to security patches after an update, however we were not quite satisfied with limiting the security issue index to a simple low-medium-high scale used in MyBB 1.x. MyBB’s RFC #9 has established one of major foundations of the security process, starting with MyBB 2.0: Each vulnerability fixed in given release will have a CVSS v3 score assigned, as specified in the Common Vulnerability Scoring System, V3 document. The 8 basic metrics will allow us and any third party user, team or organization to assess the exploitability, scope and impact of vulnerabilities and to adjust the rating by adding extra details within the same scale using Temporal and Environmental Metrics, allowing system administrators to prioritize and organize proper responses. For example, a SQL Injection vulnerability in the Moderator Control Panel could be assigned a score of 6.3 (Medium) comprising of base metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, all of which would be published in release notes of corresponding releases.

Spotlight on security research

Another significant part of the Project’s organization plans is to launch a Security Hall of Fame. Researchers reporting security issues and vulnerabilities, provided they follow responsible disclosure standards, will be placed on a dedicated list in recognition of their time and cooperation. In accordance, MyBB will promote post-incident analyses and write-ups, aiming at increasing security awareness and promoting community-based code reviews. To supply you with latest details and articles related to MyBB’s state of security, we have launched a dedicated, technical Twitter feed — make sure to follow @mybbsecurity to let us help you maintain a strong grip on your board’s security.

Securing your MyBB forums with HTTPS

The Web has been using encrypted WWW connections for over two decades now. First used by entities processing critical information on the Internet like banks and online shops, https:// is progressively becoming the protocol an everyday user would expect as of 2016: the Google Transparency Report shows that the average number of page loads over HTTPS has exceeded 50%, similarly to telemetry data trends from Mozilla, aided by Let’s Encrypt, a new certificate authority issuing free certificates since April.

With the dependency on Internet communications heavier than ever, simple and common mistakes often result in leaks and breaches that endanger not only the security or integrity of services, but also the privacy of their users: passwords, real names, locations, e-mail and IP addresses, browsing patterns and other personally identifiable information. Even static websites receive such data and the argument of not expecting to process sensitive information is not valid.

TLS has exactly one performance problem: it is not used widely enough.
Everything else can be optimized.

The range of possible attacks on unsecured websites is broad and you may not always be aware of the risks of providing and using websites using the unencrypted version of HTTP. Simply launching a rogue Wi-Fi hotspot in a public place can allow anyone to intercept raw traffic without much hassle. Similarly, Internet service providers and mobile network operators can allow governments to put their hands (however tiny they might be — the governments, of course) on your data regardless of intent or permissions, be forced to do so by the law or have their communications eavesdropped by passive interception of traffic.

Besides protecting services and people, upgrading the protocol has many upsides — the new HTTP/2, increasing the speed of web connections, is available only when used with encryption; using HTTPS, Google will prioritize your website in the search results. Encrypted transmissions mean that nobody will be able to manipulate your pages to inject malware or own ads, which is often the case with public access points or airplane connections. In order to push the adoption of encryption, major browsers will start notifying users of the dangers resulting from using unsecured websites. MyBB is proud to support this movement of creating a faster and safer web.

Chrome for Android UI's HTTPS indication

Secure connection to the Community forums — so claims Chrome for Android

The HTTPS setup tools are being constantly improved and the process is getting easier and faster, moreover you can find numerous guides and tutorials for different platforms and scripts. What’s been missing though, is a list of steps specific to MyBB because not every board administrator is experienced enough to make use of instructions that are either very generalized or very specific — for scripts other than ours.
Having jumped into the rabbit hole of technical details of securing our project’s websites and climbed back (which we’ll shed light on soon!), we created a comprehensive guidebook on enabling HTTPS that covers the most vital aspects of securing boards you manage.
We strongly recommend all webmasters and administrators upgrade their installations if they’re not running on HTTPS yet as soon as possible and encourage to consider the security and privacy of their users with utmost importance: every secured location makes a difference in today’s interconnected web.

Setting up HTTPS — MyBB Documentation →