Introducing the new Extend MyBB platform

This past October, we announced a comprehensive update was in the works for Extend MyBB. Today, we are pleased to announce that those changes are now live. As we mentioned then, the entire Extend MyBB platform has been completely redesigned with a new, far more intuitive user interface.

The majority of the functionality remains the same; however, there have been some notable changes and improvements worth mentioning.

What’s changed?

New build review process

Previously, when a new build was uploaded, it was marked as a dev build. These builds were available for download to the public. You could then mark a build as stable, which would then place the build in a queue for a member of the MyBB staff to review. This queue often became long, leading to siginifcant delays in reviewing builds. Additionally, the distinction between dev builds and stable builds was not abundantly clear.

Starting today, for both new and existing projects, you will be able to mark builds as development or stable at any time without any review from MyBB staff. Instead, there is a new Reviewed by Staff badge and queue, separate from the dev/stable status, to distinguish builds that have been reviewed by the MyBB staff. Both dev builds and stable builds can be submitted for review by MyBB staff. Whether or not a build has been reviewed by MyBB staff is indicated on the build’s download page.

All builds that, prior to today, had been marked as stable are now also marked as Reviewed by Staff.

Build version numbering

You can now specify a version number for each build rather than relying on the change logs and build numbers to differentiate between builds. Build version numbers do not have to be unique, meaning, for instance, you can upload development builds of a new version of a plugin before uploading a stable build with the same version number. When uploading a new build or editing an existing build, you also have the option of automatically updating the project’s version number to match the build you are uploading or editing.

Recommendations are now Stars

Recommendations have been renamed to stars. The functionality is identical; however, you can now see a listing of all projects that you have starred by going to your My Projects page and clicking on Stars. We felt the name change was appropriate given this added functionality.

Select multiple categories

There are often plugins (and themes) that fall into multiple categories. Previously, you were required to select a single category that best described your project. No more. You can now select multiple categories for plugin, theme, and graphics projects, or, if none of them fit, you don’t have to select any category (eliminating the “Miscellaneous” categories). Most of the plugin categories remain unchanged; however, theme categories have changed significantly and most themes will need to select a new category.

Translations improvements

In an effort to make finding the MyBB translation for your language easier, we have streamlined translations projects to ensure they will be more consistent moving forward. Translations can no longer upload preview images; instead, there are a number of pre-defined languages with pre-selected flags that you can choose from when uploading a translation. If the language for the translation you are uploading is not available, you can manually specify the language. However, we encourage you to contact us in Private Inquiries so your language can be added to the drop down menu, allowing a flag to be displayed alongside your translation.

Changes to preview images

Preview images can now be re-ordered rather than being displayed in an arbitrary order. Additionally, we now recommend you upload a square image of at least 200px x 200px for your cover image.

Additionally, due to changes with thumbnail sizes for all preview images, it is highly recommended that you re-upload your preview images so that the thumbnails can be re-generated at the appropriate size.

Wrapping up

A lot of time has been spent in redesigning and improving the MyBB Extend platform and we hope you find it easier to use. While it has undergone significant testing, it is still likely that there will be a few bugs in the upgraded platform. Please post about any bugs or issues you experience in the MyBB.com Community & Site Issues forum, including detailed instructions on how to reproduce the bug.

Enjoy!

Organizational changes in the MyBB Project

As the MyBB 2.0 development gains traction again — a joint effort of the Team and our technical Community — we are passing an important milestone in the area of the Project’s organization. Entirely new concepts, de-facto standards and unspoken rules, either improving the fluency within the Team or aimed at increasing MyBB’s maturity (and sometimes both), are being continuously brainstormed. We would like to share our progress so far in areas we are confident about.

PSR standards conformance from MyBB 2.0

World Standards Day / International standards day is celebrated internationally each year on 14 October. […] The United States held a 2014 U.S. Celebration […] on 23 October […].

Currently our coding standards are rather specific when compared to other projects in the PHP Community, and may be perceived unnatural (exhibit A: 1.8 development standards) — starting from 2.0, MyBB’s source will be fully conformant with PSR standards. While this means that we will be inevitably choosing a standardized side in one of the greatest arguments in the history of programming, which we have been avoiding for some time (exhibit B: 2.0 Dev Post #5), this decision will assure that our code preserves compatibility of coding style with other PHP projects and frameworks. This should lessen the confusion in Pull Requests and allow new contributors to adapt more easily.

Secure connections to *.mybb.com websites

A simple visit to any of our websites involves many platforms and servers: by connecting to our Documentation on docs.mybb.com, your requests go through our reverse proxy (currently provided by CloudFlare) to hit our Jekyll-powered website hosted on GitHub Pages from the Docs repository, whereas requests to the Blog you are reading this article on go to WordPress.com platform servers instead after following a similar path. Spreading our web presence in such decentralized manner has great advantages with independent availability being the most significant one, however maintaining them all becomes more complicated and introduces security risks with each addition.

In order to aid that, we have launched efforts to start enforcing HTTPS traffic to our websites and inserting security-related HTTP headers — although we don’t control external servers, we were able to set up the most important redirects and directives using the reverse proxy; these changes, combined with Subresource Integrity hashes for external content served on mybb.com and docs.mybb.com, provide a reasonable level of security given access limitations for any project that decides to set up their infrastructure in this fashion. If you happen to randomly browse the Chromium source code, you will discover that the mybb.com domain is now present on the HSTS preload list, making derived browsers enforce HTTPS upon first visit out of the box, helping our case a great deal.

Having control over the server hosting the Community forums and download Resources, we set up additional security headers that are now sent to the browser from both locations and our MyBB installation to serve cookies with the Secure flag, a feature shipped with MyBB 1.8.10. By using a MyBB plugin with a Node.js proxy server, external resources on our forums are now being delivered to users over a secure connection, resolving the issue of insecure content and enhancing their privacy by eliminating the necessity of downloading data directly from third party servers. Even when either one breaks, the Content-Security-Policy header will prevent insecure content from being loaded (the next major version of MyBB will make it possible to include all common security headers, as we will be aiming to eliminate obstacles like inline JavaScript).

You can take a closer look at the gritty details of our current setup here and here.

Team members’ PGP keys now available

The transition of our development process, now headed towards MyBB 2.0, largely impacts the organizational matters of the Project itself — one of recent preparations for an improved release management protocol that are easy to spot is the rollout of PGP keys that can be used to contact Team members, if you have a feeling that your messages sometimes have more recipients than they should (or if you’d rather be safe than sorry and use it out of principle, like we do). These can be found on our refurbished Team page that now also links accounts on social media, acting as backup channels of communication.

Packages integrity and authenticity measures

While keys and fingerprints present themselves excellent on our website, they won’t be used (only) for aesthetic purposes: we will start signing MyBB releases. Designated Team members will be able to submit a public key that will be added an announced on our website and and social media feeds for transparency purposes.
Further, while the hashing algorithm used for internal file verification and passwords in MyBB 1.8 is weak in today’s standards due to the codebase’s age, there is a lot of room for improvement when it comes to verifying the packages. If you’ve been paying attention to the release notes, you’ve probably noticed that we started publishing additional, stronger checksums for each release package as of MyBB 1.8.8. These actions are intended to provide webmasters with a degree of confidence when it comes to integrity of MyBB packages while still maintaining focus on the development of MyBB 2.

Vulnerability assessment with CVSS v3

We always have been trying to provide as much information as we could when it came to security patches after an update, however we were not quite satisfied with limiting the security issue index to a simple low-medium-high scale used in MyBB 1.x. MyBB’s RFC #9 has established one of major foundations of the security process, starting with MyBB 2.0: Each vulnerability fixed in given release will have a CVSS v3 score assigned, as specified in the Common Vulnerability Scoring System, V3 document. The 8 basic metrics will allow us and any third party user, team or organization to assess the exploitability, scope and impact of vulnerabilities and to adjust the rating by adding extra details within the same scale using Temporal and Environmental Metrics, allowing system administrators to prioritize and organize proper responses. For example, a SQL Injection vulnerability in the Moderator Control Panel could be assigned a score of 6.3 (Medium) comprising of base metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, all of which would be published in release notes of corresponding releases.

Spotlight on security research

Another significant part of the Project’s organization plans is to launch a Security Hall of Fame. Researchers reporting security issues and vulnerabilities, provided they follow responsible disclosure standards, will be placed on a dedicated list in recognition of their time and cooperation. In accordance, MyBB will promote post-incident analyses and write-ups, aiming at increasing security awareness and promoting community-based code reviews. To supply you with latest details and articles related to MyBB’s state of security, we have launched a dedicated, technical Twitter feed — make sure to follow @mybbsecurity to let us help you maintain a strong grip over your board’s security.

Securing your MyBB forums with HTTPS

The Web has been using encrypted WWW connections for over two decades now. First used by entities processing critical information on the Internet like banks and online shops, https:// is progressively becoming the protocol an everyday user would expect as of 2016: the Google Transparency Report shows that the average number of page loads over HTTPS has exceeded 50%, similarly to telemetry data trends from Mozilla, aided by Let’s Encrypt, a new certificate authority issuing free certificates since April.

With the dependency on Internet communications heavier than ever, simple and common mistakes often result in leaks and breaches that endanger not only the security or integrity of services, but also the privacy of their users: passwords, real names, locations, e-mail and IP addresses, browsing patterns and other personally identifiable information. Even static websites receive such data and the argument of not expecting to process sensitive information is not valid.

TLS has exactly one performance problem: it is not used widely enough.
Everything else can be optimized.

The range of possible attacks on unsecured websites is broad and you may not always be aware of the risks of providing and using websites using the unencrypted version of HTTP. Simply launching a rogue Wi-Fi hotspot in a public place can allow anyone to intercept raw traffic without much hassle. Similarly, Internet service providers and mobile network operators can allow governments to put their hands (however tiny they might be — the governments, of course) on your data regardless of intent or permissions, be forced to do so by the law or have their communications eavesdropped by passive interception of traffic.

Besides protecting services and people, upgrading the protocol has many upsides — the new HTTP/2, increasing the speed of web connections, is available only when used with encryption; using HTTPS, Google will prioritize your website in the search results. Encrypted transmissions mean that nobody will be able to manipulate your pages to inject malware or own ads, which is often the case with public access points or airplane connections. In order to push the adoption of encryption, major browsers will start notifying users of the dangers resulting from using unsecured websites. MyBB is proud to support this movement of creating a faster and safer web.

Chrome for Android UI's HTTPS indication

Secure connection to the Community forums — so claims Chrome for Android

The HTTPS setup tools are being constantly improved and the process is getting easier and faster, moreover you can find numerous guides and tutorials for different platforms and scripts. What’s been missing though, is a list of steps specific to MyBB because not every board administrator is experienced enough to make use of instructions that are either very generalized or very specific — for scripts other than ours.
Having jumped into the rabbit hole of technical details of securing our project’s websites and climbed back (which we’ll shed light on soon!), we created a comprehensive guidebook on enabling HTTPS that covers the most vital aspects of securing boards you manage.
We strongly recommend all webmasters and administrators upgrade their installations if they’re not running on HTTPS yet as soon as possible and encourage to consider the security and privacy of their users with utmost importance: every secured location makes a difference in today’s interconnected web.

Setting up HTTPS — MyBB Documentation →

Project Updates November 2016

As there have been a number of changes to both the team structure and some development going on, we thought it was time to share some updates on what’s been happening behind the scenes.

Team Changes

There have been a number of changes to the structure of the team over the last couple of months, with a few people leaving, some fresh new faces and some familiar faces returning to the team.

Resignations

We wish farewell to the following team members, and thank them for all of their hard work and contributions:

All of these members left the team because they had limited time. We wish them all the best and we would welcome them back should they find the time to contribute to the project again.

Additions

As well as departures, we also have some new (and some not-so-new) faces joining the ranks.

  • dragonexpert – Recently joined the support team again! He has been helping clear the mods queue since he rejoined the team and we can only thank him for his hard work so far.
  • Shade – Shade has rejoined us on the SQA team, we welcome him back and we are sure that he will contribute to the project.
  • Brad-T – We invited brad to the team to help share his community management expertise with us. We are sure he will help with community issues!
  • Matslom – If you have been following the 2.0 GitHub repo you will see Matslom has been contributing for some time now, including coding the warning system.
  • Wildcard – Another old team member who joined us back, we welcome him back and we are sure he will contribute fully.
  • JordanMussi – Jordan is also a old team member who has joined the community team, We are glad to have him back on board!

Mods Site Queue

It has been no secret for a while that we have had quite a back log of modification submissions waiting to be checked by the team as part of our extensive approval process. With a special thanks to dragonexpert and shade, the mods queue has taken a severe beating over the last couple of weeks, with there being no projects waiting for review for a short time for the first time in a long time!

As ever, if you’ve submitted a project and not heard anything about it being approved or denied, please do feel free to create a new topic in the Private Inquiries forum.

1.8 Development

Over the recent weeks we have had a lot of development progress on the MyBB 1.8 series. A lot of issues have been either getting PR’s fixing them or we have been rejecting them due to the age of the 1.8 series. We have also been reviewing the 1.8 bugs forum and highlighting any issues we felt need to be fixed. We are looking to get the issues on GitHub to current issues that need to be fixed before we move complete focus (except security fixes) to 2.0. Due to the high amount of bug reports we have been unable to reply to every issue but we have compiled an internal list and we are looking at this.

2.0 Development

Recent development on the 2.0 series has been slow, but recently we have seen a large increase in contributions from outside the team. Matslom (who has since joined the team), for instance recently submitted a great Pull Request to add a warning system to 2.0 which has now been merged into the main branch. Additionally, Paradigm has been working on implementing an installer system for 2.0 – something that has been planned for a while and kept being bumped down the priority list.

A lot of the discussion around these developments has been happening on the #20-development channel on the MyBB Discord server, and we would encourage anybody interested in contributing to the development of MyBB to pop in and see what’s going on!

Project Updates October 2016

Recently we have made a number of notable changes to the community and MyBB website. We’d like to share with you what we’ve done and how you can get involved.

RFC Process and transparency policy

For over a year now, the MyBB Team has been using an internal Request For Comments process as a decision making mechanism for issues with high impact on the Project’s present and future as well as a mean of assuring team-wide consensus on matters related to its organization and development. Recently we have decided to start publishing our RFC documents, putting us closer to the goal of maximum transparency. Accordingly, solid plans, workflows and protocols explaining what exactly happens behind the scenes will be posted on our websites as they emerge to enable external feedback and simplify the process of Team onboarding.

You can find all RFC documents that were cleared for disclosure in a dedicated section on MyBB.com.

Code of Conduct in force

As previously announced, we have joined an impressive group of open source projects you may already have heard of by adopting a Code of Conduct provided by the Contributor Covenant. This addition allows us to centralize rules and guidelines that apply in our development and community ecosystems in order to assure professional and inviting environment for everyone interested in getting involved. You can find the new document on our website.

Moving to Discord from IRC

The MyBB IRC channel over at freenode has not been bustling with activity for a while despite several attempts to bring it to life, so internally we discussed and tested alternatives to IRC. Looking for something that is easier for the whole community to engage with, we circled in Discord, which fulfills our needs for accessibility and moderation features. We invited the community to help us during the testing phase and are grateful for those that did – you can already find many members of the MyBB Team on Discord in addition to other valued members of our Community.

While the adoption of the platform appears to be successful, we’ve decided to continue maintaining our IRC presence at #mybb and registered a freenode group to gain more control over our channels. In order to keep the chit-chat uniform, we plan to connect it to Discord using a bot that forwards messages both ways from the IRC channel to its counterpart on Discord — this will assure that no question will go unnoticed.

We’ll see you there!

Join the conversation →

Up Next: Updates to Extend MyBB

While not ready to go live just yet, we are excited to share an update on something Justin, our lead designer, has been working on for the past few weeks: a major visual update to the Extend MyBB platform, commonly known as the MyBB Mods site.

The visual update touches all public-facing aspects of Extend MyBB, simplifying navigation and making its interface easier to use while maintaining existing features. There’s still some more work to do before it’s ready to launch, but we’re sure you’ll love it.

Support for MyBB 1.6.x has ended

Following the recent postponement, the official support for the MyBB 1.6 series has ended as of 1st October 2015.

The 1.6 Support forums have been archived and we will no longer provide assistance regarding the 1.6 series (that does not include the 1.8 upgrading process).

No further maintenance and security releases or updates will be provided for that branch.

We strongly recommend all users who still operate 1.6 boards to upgrade them as soon as possible. Detailed information on performing upgrades can be found in our upgrade instructions. The MyBB Team and the Community can provide further advice on our support forums.

MyBB 1.6 End of Life Announcement

MyBB 1.8 was released almost 9 months ago (September 1st, 2014 for those keeping track) and has since proven to be stable. Therefore we will be concluding maintenance and support for the MyBB 1.6 series, and we encourage everyone who has not already done so to upgrade to MyBB 1.8 as soon as possible.

The end of life date for MyBB 1.6 will be the 1st of September, 2015.

After this date:

  • We will not be offering official support for MyBB 1.6.
  • There will be no further maintenance or security releases for the 1.6 series.
  • The 1.6 support forums will be closed and archived.

If you require information on how to upgrade please consult our upgrade instructions, if you need further support please visit the support forums.

Change of license for MyBB 2.0

MyBB has historically used the Lesser GNU Public License Version 3 (LGPL3) for the MyBB 1.8 series, and the GNU Public License Version 3 (GPL3) in earlier releases.

Both of these licenses are open source licenses, though both have a fair few limitations. The basic limitations of these licenses are best described by TLDRLegal.

For MyBB 2.0, we decided that we wanted to follow a much more clear and simple licensing model. Several licenses were considered, including the extremely open MIT license. In the end, it was decided that both MyBB 2.0 and all of the associated libraries will be released under the BSD 3 Clause (BSD-3) license, which reads as follows:

Copyright (c) 2015, MyBB Group
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This license is much simpler than previous licenses, and has the following basic limitations:

  • You cannot use the MyBB Group trademark or the names, trademarks or logos of any of the project’s contributors.
  • The MyBB Group cannot be held liable for any damages caused by the software.
  • The original copyright must be retained.

This change shouldn’t mean much to many of our average users, and will require no changes in many cases. If you do have any concerns about any legal impact this may have upon you or your sites, please do open a thread in our Private Inquiries forum though we do not claim to be legal experts and a legal professional should be consulted if you have any real concerns.

We hope that this license change will make life a lot easier for users of both the MyBB software and our libraries.

Attack against the community forums prior to 1.8.3 release

The recent 1.8.3 release fixes a high risk SQL injection vulnerability, it is critically important that users upgrade as soon as possible to ensure their systems are safe.

Unfortunately, we wish to inform users that this vulnerability was used against the community forums in the days before it was discovered and patched by our team. The attack was successful in accessing our database, however our logs indicate that only a very small portion of the database was obtained. While we know the size of what was downloaded, we have no way of knowing what data it contained and therefore we cannot rule out that the attacker downloaded a small portion of the users table. The attacker also had access to the ACP for a short period.

In light of this we recommend all community forum users take appropriate precautions on the assumption that their account was accessed. This includes changing your password and monitoring your account for any suspicious activity.

Our understanding is that the attacker used the SQL injection to reset Chris’ community forum password by retrieving the confirmation code, then discover the ACP directory name by searching PMs sent between team members. They were then able to edit the log settings in the ACP to write to a publicly accessible location and create a back-door script on the file-system. Upon discovering the attack we immediately took steps to prevent further access, and we are now confident that the system is secure having searched for any additional back-doors. We have also changed our ACP directory, adopted the new ACP PIN functionality added in 1.8, and used an isolated communication channel to distribute these new details to team members.

We’d like to reiterate that users running the latest version of MyBB are already secured against the vulnerabilities used to gain access to the ACP, and we’ll be using information learned from this attack to further improve security within the ACP in future releases.

Regards,

The MyBB Team.

[UPDATED – IMPORTANT] GitHub Account Compromised

UPDATE: Updated the page in which you should check for suspicious activity. It should be the Admin Logs page, not the Database Backups. You should also rebuild the cache (if you’re on 1.8) for ‘update_check’.

 

Hello,

Yesterday, 14th of November, my (Pirata Nervo) GitHub account was compromised. By taking advantage of that, the attacker made a commit to our GH pages, more specifically one which is retrieved by the MyBB software in order to process version checks. Unfortunately, the attack allowed the attacker to setup Database backups of any MyBB forum, without exception, via JavaScript.

In order for you to know if you were attacked, you must have accessed the Admin CP of your forum from 14th November 23:00 GMT to 15th November 15:30 GMT. If you accessed your AdminCP during this timespan, it is likely that you were attacked. Note that if you’re on 1.8, the version check task may have been executed during this period, which may still allow the attack if you login after this period.

To be sure about it, please log on to your AdminCP now and check your Database Backup Logs from ACP -> Tools & Maintenance -> Administrator Logs. If there is at least one log for a database backup made between that time span mentioned above, you were affected. We strongly recommend you to alert your users about it so they can change their passwords.

 

What you have to do: (in case you were attacked)

  • Alert your users to change password.
  • Change your password.
  • Clear your cookies.
  • ACP -> Tools & Maintenance -> Cache Manager -> Rebuild Cache for ‘update_check’.

 

I’ve already enabled 2 Factor Authentication on my GitHub account and changed my password. I deeply apologize for this event for it was never my intention to cause any harm to anyone but it should be my responsibility to keep my account as secure as possible.

 

My apologies,

Pirata Nervo