Author Archives: Nathan Malcolm

A farewell to Tom Moore

Posted on by

It’s with great sadness that I have to announce Tom Moore (Tomm M on the community forums) has decided to depart from the MyBB Team.

Since joining the dev team in 2009, Tom has been at the forefront of MyBB development, even more so after the departure of Ryan Gordon. Having led the 1.6 series throughout its life, fixing countless bugs and issues, and putting his ideas and talent in to 1.8, MyBB today lies upon Tom’s vision and hard work. His dedication and will has been undeniable and we wish him the best for the future, and with whatever comes next.

What does this mean for MyBB?

While it’s sad to see such a talented developer leave the team, it’s often something which is expected with open source software. We believe that even though we no longer have Tom, there will always be developers out there willing to carry on his vision and continue to bring MyBB to the people. We’re very excited to see what comes next for MyBB, and we hope you are too.

A message from Tom to all…

To all at MyBB,

It’s with a heavy heart that I’ll be departing from the MyBB Team who, in every respect, has been more of a family over the last 5 years. We’ve fought, argued and definitely fallen out more than a few times but a single aim has always been at the front of thinking for every team member (past and present): to create the best free forum software for your community.

This niche software industry, which many thought would be swallowed by social networks, is thriving with seemingly new competitors every week. Each with their own gimmick, of course. But they often fail where MyBB succeeds due to 3 basic principles that haven’t changed in its 10 year history: extensibility, ease of use and functionality.

It’s inevitable that MyBB must change for the modern user, and you shouldn’t fear this, as by following these principles and focusing on putting great content at the heart of the software can only mean another great product from one of the most talented teams I’ve had the privilege to be a part of. The future of this forum software is exciting and I can’t wait for everyone to (eventually!) use it.

I wish you and your communities the very best of luck.

– Tomm

MyBB 1.6.11 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.11 is now available from the MyBB website and is a security and maintenance release.

Important Security Patches

It was reported to us by Philly that a user was able to register on his forum with three ’emoji’ characters which led to the user becoming “unregistered”. After looking in to this issue we discovered it was more complex than originally thought.

The technical explanation is MySQL’s UTF8 implementation only supports up to 3 bytes per character. When someone tries to insert a string containing a 4 byte utf8 character in to the database, MySQL truncates the string immediately before the 4 byte character. Not only does this affect security, it affects the user’s experience as half their post or private message could be lost without them knowing why.

The vulnerability was exploited by a user registering on a forum with a username consisting of only 4 byte UTF8 characters. As I explained before, MySQL truncates the string before the first occurrence of a 4 byte UTF8 character which led to the username column becoming empty. When someone sent a PM it would be automatically sent to the nameless user and they would be able to read it.

This security issue affects MySQL databases with a utf8_general_ci collation (This may also affect utf8_unicode_ci collations too). If you’re using a SQLite or PostgreSQL database you’re not affected by this.

What’s added/changed in this version?

This release fixes 5 vulnerabilities and over 65 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

  • Vulnerabilities:
    • High Risk: Authorization bypass vulnerability within the PM system – reported by Philly
    • Medium Risk: Accounts without login keys could be hijacked – reported by StefanT
    • Low Risk: Weakness within the generate_post_check() function – reported by Nathan Malcolm
    • Low Risk: Anonymous statistics may not always be anonymous – reported by Nathan Malcolm
    • Low Risk: Database backups are exposed in logs – reported by Nathan Malcolm
  • Fixed issues in 1.6.11
  • Unfixed issues

Please view the 1.6.11 changes on the Docs site for more information about the changes in this version.

Upgrading from 1.6.10 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 4 language files. 5 templates have been changed or added.

If you’re using MyBB 1.6.10

If you’re using MyBB 1.6.9 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team