Category Archives: Security

[UPDATED – IMPORTANT] GitHub Account Compromised

Posted on by

UPDATE: Updated the page in which you should check for suspicious activity. It should be the Admin Logs page, not the Database Backups. You should also rebuild the cache (if you’re on 1.8) for ‘update_check’.

 

Hello,

Yesterday, 14th of November, my (Pirata Nervo) GitHub account was compromised. By taking advantage of that, the attacker made a commit to our GH pages, more specifically one which is retrieved by the MyBB software in order to process version checks. Unfortunately, the attack allowed the attacker to setup Database backups of any MyBB forum, without exception, via JavaScript.

In order for you to know if you were attacked, you must have accessed the Admin CP of your forum from 14th November 23:00 GMT to 15th November 15:30 GMT. If you accessed your AdminCP during this timespan, it is likely that you were attacked. Note that if you’re on 1.8, the version check task may have been executed during this period, which may still allow the attack if you login after this period.

To be sure about it, please log on to your AdminCP now and check your Database Backup Logs from ACP -> Tools & Maintenance -> Administrator Logs. If there is at least one log for a database backup made between that time span mentioned above, you were affected. We strongly recommend you to alert your users about it so they can change their passwords.

 

What you have to do: (in case you were attacked)

  • Alert your users to change password.
  • Change your password.
  • Clear your cookies.
  • ACP -> Tools & Maintenance -> Cache Manager -> Rebuild Cache for ‘update_check’.

 

I’ve already enabled 2 Factor Authentication on my GitHub account and changed my password. I deeply apologize for this event for it was never my intention to cause any harm to anyone but it should be my responsibility to keep my account as secure as possible.

 

My apologies,

Pirata Nervo

MyBB 1.8.2 Released – Security Release

Posted on by

MyBB 1.8.2 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 2 low risk vulnerabilities. We recommend everyone upgrades to this release immediately.
MyBB 1.6.15 is not affected by these vulnerabilities.

What’s added/changed in this version?

The vulnerabilities are:

  • High Risk: A SQL injection vulnerability in member.php
  • Medium Risk: A XSS vulnerability in report.php
  • Medium Risk: A XSS vulnerability in inc/class_parser.php
  • Low Risk: A XSS vulnerability in admin/modules/style/templates.php
  • Low Risk: A XSS vulnerability in admin/modules/config/languages.php

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.8.1 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are no changes to language files. No templates have been changed or added.

If you’re using MyBB 1.8.0 or lower

  • Download and use the full 1.8.2 Release Package (MD5: 4f6e49b7a457b72dbe8fb47ae5ded430)
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.15 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.15 is now available from the MyBB website and is a security and maintenance release. This is the last maintenance release of the 1.6 series.

What’s added/changed in this version?

This release fixes 1 vulnerability and 26 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

Please view the 1.6.15 changes on the Docs site for more information about the changes in this version.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.14 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are changes to 5 language files. No templates have been changed or added.

If you’re using MyBB 1.6.13 or lower

  • Download and use the full 1.6.15 Release Package (MD5: c841982de03104ebb402b958294711d3)
  • Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated package

Due to a minor issue with the original packages an updated package set has been released.

If you installed or updated your forums using either the full or changed files packages prior to 12:30 p.m. on August 8, 2014 GMT please download a fresh package from the links above and replace the following file:

modcp.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB 1.6.14 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.14 is now available from the MyBB website and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 5 vulnerabilities and 50 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

  • Vulnerabilities:
    • Medium Risk: Possibility of executing PHP code through settings – reported by GiantCrocodile
    • Low Risk: A XSS vulnerability in polls.php – reported by AntiPaste
    • Low Risk: A XSS vulnerability in portal.php – reported by AntiPaste
    • Low Risk: Password protected forums can be viewed from the portal – reported by Nathan Malcolm
    • Low Risk: Super moderators have more permissions than expected – reported by JordanMussi
  • Bugs fixed:

Please view the 1.6.14 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.6.13 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 10 language files. 9 templates have been changed or added.

If you’re using MyBB 1.6.12 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.13 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.13 is now available from the MyBB website and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 4 vulnerabilities and 38 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

  • Vulnerabilities:
    • Medium Risk: Possibility of executing PHP code through stylesheets – reported by TonyS
    • Medium Risk: Possibility of executing PHP code through language files – reported by Pirata Nervo
    • Low Risk: A XSS vulnerability in search system (CVE-2014-1840)
    • Low Risk: Potential weak random string generator reported by – reported by 1llusion
  • Bugs fixed:

Please view the 1.6.13 changes on the Docs site for more information about the changes in this version.

Please note, that you do need to run the upgrade script for this version.

Upgrading from 1.6.12 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 5 language files. 4 templates have been changed or added.

If you’re using MyBB 1.6.11 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

Note about updated package

Due to a minor issue with the original packages an updated package set has been released.

If you installed or updated your forums using either the full or changed files packages prior to 9:30 a.m. on April 27, 2014 GMT please download a fresh package from the links above and replace the following file:

admin/modules/style/themes.php

You do not need to run the installer or make any further changes. You can use the file verification tool to determine whether you have the latest package, the file above will appear to be modified if you need to download an updated copy.

We apologise of any inconvenience.

MyBB 1.6.12 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.12 is now available from the MyBB website and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 4 vulnerabilities and 10 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

  • Vulnerabilities:
    • Medium Risk: A SQL vulnerability when editing smilies in ACP – reported by ChALkeR
    • Medium Risk: A SQL vulnerability when deleting posts with Akismet in ACP – reported by ChALkeR
    • Medium Risk: A XSS vulnerability in video MyCode – reported by ChALkeR
    • Low Risk: A XSS vulnerability in smilie popup – reported by Spenzert
  • Bugs fixed:

Information on upgrading, template changes and language changes can be found on the Docs site.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.11 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are changes to 2 language files. No templates have been changed or added.

If you’re using MyBB 1.6.11

If you’re using MyBB 1.6.10 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.11 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.11 is now available from the MyBB website and is a security and maintenance release.

Important Security Patches

It was reported to us by Philly that a user was able to register on his forum with three ’emoji’ characters which led to the user becoming “unregistered”. After looking in to this issue we discovered it was more complex than originally thought.

The technical explanation is MySQL’s UTF8 implementation only supports up to 3 bytes per character. When someone tries to insert a string containing a 4 byte utf8 character in to the database, MySQL truncates the string immediately before the 4 byte character. Not only does this affect security, it affects the user’s experience as half their post or private message could be lost without them knowing why.

The vulnerability was exploited by a user registering on a forum with a username consisting of only 4 byte UTF8 characters. As I explained before, MySQL truncates the string before the first occurrence of a 4 byte UTF8 character which led to the username column becoming empty. When someone sent a PM it would be automatically sent to the nameless user and they would be able to read it.

This security issue affects MySQL databases with a utf8_general_ci collation (This may also affect utf8_unicode_ci collations too). If you’re using a SQLite or PostgreSQL database you’re not affected by this.

What’s added/changed in this version?

This release fixes 5 vulnerabilities and over 65 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

  • Vulnerabilities:
    • High Risk: Authorization bypass vulnerability within the PM system – reported by Philly
    • Medium Risk: Accounts without login keys could be hijacked – reported by StefanT
    • Low Risk: Weakness within the generate_post_check() function – reported by Nathan Malcolm
    • Low Risk: Anonymous statistics may not always be anonymous – reported by Nathan Malcolm
    • Low Risk: Database backups are exposed in logs – reported by Nathan Malcolm
  • Fixed issues in 1.6.11
  • Unfixed issues

Please view the 1.6.11 changes on the Docs site for more information about the changes in this version.

Upgrading from 1.6.10 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 4 language files. 5 templates have been changed or added.

If you’re using MyBB 1.6.10

If you’re using MyBB 1.6.9 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.10 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.10 is now available from the MyBB website and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 7 vulnerabilities and over 95 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

A considerable amount of effort has been put in to MyBB 1.6.10 to fix a myraid of issues with PHP 5.4. This is the main reason why the release has been delayed until now. MyBB 1.6.10 should now be compatible with PHP 5.4 hosts.

  • Vulnerabilities:
    • Low Risk: Potential SQL Injection when optimizing the database – reported by Jakub Galczyk
    • Low Risk: Potential SQL Injection when creating the database backups – reported by StefanT
    • Low Risk: Potential XSS vulnerability in theme name – reported by pandaa
    • Low Risk: Improper permission checks for forums where you can only see your own threads – reported by Jordan Mussi and StefanT
    • Non Critical: XSS vulnerability on debug page – reported by 1llusion
    • Non Critical: Improper input validation in modcp.php – reported by 1llusion
    • Non Critical: Improper input validation in calendar.php – reported by Jakub Galczyk
  • Fixed issues in 1.6.10
  • Unfixed issues

Please view the 1.6.10 changes on the Docs site for more information about the changes in this version.

Upgrading from 1.6.9 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 12 language files. 25 templates have been changed or added.

If you’re using MyBB 1.6.9

If you’re using MyBB 1.6.8 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.9 Security Release

Posted on by

MyBB 1.6.9 is now available from the MyBB website and is a security release for the 1.6 series.

What’s added/changed in this version?

It has come to our attention that there is an SQL injection vulnerability in all versions of MyBB, including MyBB 1.6.8. We advise all MyBB forum owners to upgrade their forum as soon as possible.

With thanks to frostschutz and StefanT for finding and reporting these issues.

Vulnerabilities fixed:

  • High Risk: An SQL vulnerability when editing a post
  • Medium Risk: CAPTCHA systems non effective, providing possible brute-force access

Bugs fixed:

  • An issue with the editor not working in Firefox 16 and above

We apologise for any inconvenience.

Upgrading from 1.6.8 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 1 language file (messages.lang.php). There are changes to 3 templates (portal_welcome_guesttext, loginbox & codebuttons).

If you’re using MyBB 1.6.8

If you’re using MyBB 1.6.7 or below

Reporting MyBB Security Vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thank you,

MyBB Team

Using Pirated Mods

Posted on by

Recently we have been made aware of several MyBB plugins circulating around the internet, in particular pirated mods, which are specifically designed to cause malicious harm to their users. One specific example which has come to our attention attempts to delete all the records from your database, and delete your MyBB files. This would obviously have a devastating impact on anyone who happened to install this plugin.

We’d like to remind users of the immense power plugins have which, when used incorrectly, could pose security implications for your forum.  Theme files also can contain backdoor PHP scripts which can grant access to your server.  Therefore, great care should be taken both in terms of which plugins are installed and where the modifications were obtained from. Specifically, nulled or pirated mods pose the biggest threat of all given that the origin of the file is unknown and any sharer could have inserted malicious code.

Even when downloading mods directly from the author we recommend thoroughly researching both the plugin/theme and the author to establish that they are reputable and have a good standing with their customers and users.

If you have any further questions, concerns or examples please don’t hesitate to contact us via the Private Inquiries forum.

Regards, The MyBB Team.