MyBB 1.8.8 & Merge System 1.8.8 Release

MyBB 1.8.8 is now available from the MyBB website, and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 7 security vulnerabilities and 58 reported issues causing incorrect functionality of MyBB. Please be aware that not all issues have been fixed in this version in order to provide easy to manage updates.

  • Vulnerabilities:
    • Medium risk: Style import CSS overwrite on Windows servers – reported by patryk
    • Medium risk: SQL Injection in the users data handler – reported by afinepl
    • Medium risk: SSRF attack in fetch_remote_file() – reported by dawid_golunski
    • Medium risk: Possible short name access to ACP backups on Windows servers – reported by kevinoclam
    • Low risk: Stored XSS in the ACP – reported by patryk
    • Low risk: Loose comparison false positives – reported by Devilshakerz
    • Low risk: Possible XSS injection in ACP users module – reported by afinepl

Please view the 1.8.8 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.8.7 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 23 language files and 64 templates were changed or added.

If you’re using MyBB 1.8.7:

  • Download and use the Changed Files Package
    • MD5: 43028accb46eecf8016ef5fdc4fe522a
    • SHA1: 2c9985353e87c8710bdcdcf1856b0a6c63961317
    • SHA256: bb479145b44f169c301c21425f78742d8cacd9fd9ef4543c2a5e39ab540f769e
    • SHA512: 47ddbd601d008e9cb7309b328d36df95f901d1935593ded61e70cef22dc1312257266e056e5ea9d214babfd47a0aeb9560e9d11a5abb8d68a244f442467c41854a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

If you’re using MyBB 1.8.6 or lower:

  • Download and use the full 1.8.8 Release Package
    • MD5: 2e09c9fd3b2416ac3fea9bada18d61e5
    • SHA1: 2b8469cb42c3a66ec7e3253aa0cced464585d3dd
    • SHA256: e63bd3ce5b8a7c4166102baa75f0aab1d12fc64379658a027d8bf49a437a469a
    • SHA512: 8dec5923737b11deae578ed02f259acda01ca5bcc9032bc01df1e2d77ce36c54f87e66e42850460c8ea07515d99d4b5da4a73f915ee3f4e6bd2f654334ca0f75
  • Follow the Docs Upgrading Instructions

This update includes security fixes that may need your attention:

  • Additional rules disallowing access to the database backups directory (admin/backups/) were added to htaccess.txt and htaccess-nginx.txt, addressing a security issue affecting Windows installations – remember to update your configuration files.
  • $config['disallowed_remote_hosts'] and $config['disallowed_remote_addresses'] variables, containing default loopback hosts and IPv4 addresses, were added to the inc/config.php file, addressing a SSRF vulnerability – remember to update your configuration files and, if applicable, add further hosts and/or addresses that MyBB shouldn’t attempt to access.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.8.8

MyBB Merge System 1.8.8 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.8 series.

This release is to ensure that all users of MyBB Merge 1.8 have the latest fixes.

This release fixes several reported issues since the release of 1.8.7, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 5 bug fixes (View all)
  • Preliminary support for merges from vBulletin 5 installations. This module hasn’t had a lot of testing, so please report back with how vBulletin 5 merges go and always test your merge on a local machine first.

Important note

This will be the last release of the Merge System 1.8. We’re instead concentrating development efforts on MyBB 2.0 and a brand new Merge System to accompany it – please stay tuned for more news on the new merge system!

Thanks,

MyBB Team

Shuttering of the 2.0 host compatibility repository

Not long ago, we started a new project to gather information about the PHP versions that various web hosts support. The aim of this project was to gather a list of web hosting companies who would be able to host the upcoming MyBB 2.0 release.

Since starting that project, we have received several contributions. However, we’ve also since changed the PHP version requirements that we will require for 2.0. As such, we are closing the mybb/2.0-Hosts repository and instead asking that users please make use of the PHP Versions website to track the PHP versions on offer at different hosts. This website operates in a similar way to the old MyBB project, but is much more widely used and already contains information for lots of different hosts. For more information on contribution to the PHP Versions website, please see the contributing guide.

MyBB Seeking Your Help – Open Staff Positions

Hi,

We currently have some open positions on the MyBB Team, especially in SQA. If you’re interested in becoming a part of the team, we’d like to hear from you.

Please note that all positions are on a volunteer basis, you’re under no obligation to stay with the MyBB Group if you have other commitments that need attending.

Requirements

Development

Continued contribution to the quality of either the 1.x or 2.x series, including:

  • Good MyBB and PHP (OOP)/MySQL/JS (jQuery) and/or HTML/CSS knowledge
  • Basic understanding of testing and git/GitHub
  • Laravel familiarity for 2.x development would be welcome
  • At least several qualitative contributions to our GitHub repositories/mods site and/or external GitHub repositories and/or external GitHub repositories (themes if you’re a designer, plugins/code changes if you’re a programmer)
  • Good communication skills in English

Support

Continued support on our forums:

  • Good MyBB/CSS/HTML knowledge, MySQL/PHP/JS (jQuery) knowledge would also be welcome
  • At least 50-100 high-quality support posts
  • Adequate patience when helping inexperienced forum admins
  • Good communication skills in English

Quality Assurance

Continued contribution to the quality of either the 1.x or 2.x series, including:

  • Good MyBB/MyBB plugins/PHP (OOP)/MySQL/JS (jQuery) knowledge
  • Ability to detect and confirm vulnerabilities
  • Basic understanding of testing and git/GitHub
  • Good communication skills in English

How to Apply

All applications should be submitted in the Private Inquiries section: http://community.mybb.com/forum-135.html

Please include the position you’re applying for, background information on yourself, information on your knowledge of MyBB, PHP, MySQL and JavaScript, if necessary, your experience/works and any other information you wish to include.

We will aim to reply to all applications but if you don’t receive a reply, no – we haven’t forgotten about you, it’s just that there are usually too many applications to individually reply to each one. Private messages containing applications/team position queries will be ignored.

Thank you,
MyBB Team

MyBB 2.0 Repositories Are Finally Public

Yep, you read that right. The MyBB 2.0 repositories are finally open to the public for browsing and contribution. The repositories we are opening are:

  • mybb/mybb2 – the core of MyBB 2.0, based on a Laravel skeleton template. This repository contains the core forum and is where the majority of work happens. The overall structure of this repository will be changing through the New Year to make deployment easier on shared hosts and other setups.
  • mybb/Auth – a modified authentication package for MyBB 2.0. This is based around the Laravel 5.0 Auth package, and is about to receive a major overhaul to make use of the Laravel 5.1 and 5.2 authentication changes.
  • mybb/Parser – the core post parser for MyBB 2.0. The majority of the parsing logic has simply been imported from MyBB 1.x in the current incarnation in order to get a working parser implementation. The future plans for this repository include adding further unit tests and refactoring the BBCode/MyCode parsing to use a proper parser/lexer rather than a large jumble of regular expressions.
  • mybb/Settings – the core settings system of MyBB 2.0. This package provides both site-wide and user settings and can easily be used for other projects and plugins. Settings are split into “packages”, with “mybb/core” being the core MyBB package. Further documentation and details will be explained about this package in an upcoming development post.

Browsing these repositories should make it fairly clear that while MyBB 2.0 has had a good start so far, it is still far from done. Original plans were to have an Alpha release available by the end of 2015, but these plans have unfortunately not come to fruition. It is our hope that making these repositories public will bring more contributions, suggestions and feedback from you the community.

For now we are simply opening these repositories, but over the New Year and Christmas holidays we will be documenting our code formatting, contribution guidelines and our roadmap and plans for MyBB 2.0 more fully in the MyBB 2.0 Planned Features forum. Rather than blogging about each of these, we will be writing topics that will be stuck to that forum to provide guidelines about our expectations.

We also plan to keep up our (recently lacking) development blog posts which will cover the usage of the components we are open sourcing as well as other components that will be created in the future. Future components and progress will be developed fully in the open, utilising our new BSD-3 licence.

As a closing note, MyBB 2 is in no way stable yet and should not be used on a live forum at all right now. Open sourcing these repositories is aimed primarily at developers and experienced administrators wanting to provide input and feedback on the future direction of MyBB. No support will be provided for any of the code in these repositories until we reach a Beta release.

We wish all of our users a happy holiday season,

The MyBB team

2.0 Dev Post #6

It’s that time again, time for another MyBB 2.0 dev blog! This post is the sixth in a series of development update posts regarding MyBB 2.0. Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software. We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will take a slightly different approach to previous posts by focusing on a single aspect of 2.0 in slightly more detail, namely the new responsive styling. Continue reading

2.0 Dev Post #5

It’s that time again, time for another MyBB 2.0 dev blog! This post is the fifth in a series of development update posts regarding MyBB 2.0. Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software. We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system.

Note that all screenshots and details contained within these posts are subject to change and is taken from early developmental software; details are in no way indicative of the features or presentation of the final software. Continue reading

2.0 dev post #4

It’s that time again, time for another MyBB 2.0 dev blog! This post is the fourth in a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system.

This month has been slightly slower than most due to many of our team members being busy finishing up university courses, exams and more. However, we’ve still managed to work away on new features and plan out new features. In this post, we will review some of the exciting new features and some of the plans we have for the future of 2.0. Continue reading

2.0 dev post #3

It’s that time again, time for another MyBB 2.0 dev blog! This post is the third in a series of development update posts regarding MyBB 2.0.  Currently in pre-alpha, MyBB 2.0 is the long awaited upcoming major version of the open source MyBB forum software.  We’ll be posting regular updates (we promise!) in regards to the development to keep you all updated. The development team have been hard at work since our last dev post, adding new features and polishing existing functionality. This post will explore some of these new features and highlight our approach to the development of the system.

Continue reading

MyBB 1.6 End of Life Announcement

MyBB 1.8 was released almost 9 months ago (September 1st, 2014 for those keeping track) and has since proven to be stable. Therefore we will be concluding maintenance and support for the MyBB 1.6 series, and we encourage everyone who has not already done so to upgrade to MyBB 1.8 as soon as possible.

The end of life date for MyBB 1.6 will be the 1st of September, 2015.

After this date:

  • We will not be offering official support for MyBB 1.6.
  • There will be no further maintenance or security releases for the 1.6 series.
  • The 1.6 support forums will be closed and archived.

If you require information on how to upgrade please consult our upgrade instructions, if you need further support please visit the support forums.

Change of license for MyBB 2.0

MyBB has historically used the Lesser GNU Public License Version 3 (LGPL3) for the MyBB 1.8 series, and the GNU Public License Version 3 (GPL3) in earlier releases.

Both of these licenses are open source licenses, though both have a fair few limitations. The basic limitations of these licenses are best described by TLDRLegal.

For MyBB 2.0, we decided that we wanted to follow a much more clear and simple licensing model. Several licenses were considered, including the extremely open MIT license. In the end, it was decided that both MyBB 2.0 and all of the associated libraries will be released under the BSD 3 Clause (BSD-3) license, which reads as follows:

Copyright (c) 2015, MyBB Group
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This license is much simpler than previous licenses, and has the following basic limitations:

  • You cannot use the MyBB Group trademark or the names, trademarks or logos of any of the project’s contributors.
  • The MyBB Group cannot be held liable for any damages caused by the software.
  • The original copyright must be retained.

This change shouldn’t mean much to many of our average users, and will require no changes in many cases. If you do have any concerns about any legal impact this may have upon you or your sites, please do open a thread in our Private Inquiries forum though we do not claim to be legal experts and a legal professional should be consulted if you have any real concerns.

We hope that this license change will make life a lot easier for users of both the MyBB software and our libraries.