Category Archives: Security

MyBB 1.6.12 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.12 is now available from the MyBB website and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 4 vulnerabilities and 10 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

  • Vulnerabilities:
    • Medium Risk: A SQL vulnerability when editing smilies in ACP – reported by ChALkeR
    • Medium Risk: A SQL vulnerability when deleting posts with Akismet in ACP – reported by ChALkeR
    • Medium Risk: A XSS vulnerability in video MyCode – reported by ChALkeR
    • Low Risk: A XSS vulnerability in smilie popup – reported by Spenzert
  • Bugs fixed:

Information on upgrading, template changes and language changes can be found on the Docs site.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.11 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are changes to 2 language files. No templates have been changed or added.

If you’re using MyBB 1.6.11

If you’re using MyBB 1.6.10 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.11 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.11 is now available from the MyBB website and is a security and maintenance release.

Important Security Patches

It was reported to us by Philly that a user was able to register on his forum with three ’emoji’ characters which led to the user becoming “unregistered”. After looking in to this issue we discovered it was more complex than originally thought.

The technical explanation is MySQL’s UTF8 implementation only supports up to 3 bytes per character. When someone tries to insert a string containing a 4 byte utf8 character in to the database, MySQL truncates the string immediately before the 4 byte character. Not only does this affect security, it affects the user’s experience as half their post or private message could be lost without them knowing why.

The vulnerability was exploited by a user registering on a forum with a username consisting of only 4 byte UTF8 characters. As I explained before, MySQL truncates the string before the first occurrence of a 4 byte UTF8 character which led to the username column becoming empty. When someone sent a PM it would be automatically sent to the nameless user and they would be able to read it.

This security issue affects MySQL databases with a utf8_general_ci collation (This may also affect utf8_unicode_ci collations too). If you’re using a SQLite or PostgreSQL database you’re not affected by this.

What’s added/changed in this version?

This release fixes 5 vulnerabilities and over 65 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

  • Vulnerabilities:
    • High Risk: Authorization bypass vulnerability within the PM system – reported by Philly
    • Medium Risk: Accounts without login keys could be hijacked – reported by StefanT
    • Low Risk: Weakness within the generate_post_check() function – reported by Nathan Malcolm
    • Low Risk: Anonymous statistics may not always be anonymous – reported by Nathan Malcolm
    • Low Risk: Database backups are exposed in logs – reported by Nathan Malcolm
  • Fixed issues in 1.6.11
  • Unfixed issues

Please view the 1.6.11 changes on the Docs site for more information about the changes in this version.

Upgrading from 1.6.10 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 4 language files. 5 templates have been changed or added.

If you’re using MyBB 1.6.10

If you’re using MyBB 1.6.9 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.10 Released – Security & Maintenance Release

Posted on by

MyBB 1.6.10 is now available from the MyBB website and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 7 vulnerabilities and over 95 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

A considerable amount of effort has been put in to MyBB 1.6.10 to fix a myraid of issues with PHP 5.4. This is the main reason why the release has been delayed until now. MyBB 1.6.10 should now be compatible with PHP 5.4 hosts.

  • Vulnerabilities:
    • Low Risk: Potential SQL Injection when optimizing the database – reported by Jakub Galczyk
    • Low Risk: Potential SQL Injection when creating the database backups – reported by StefanT
    • Low Risk: Potential XSS vulnerability in theme name – reported by pandaa
    • Low Risk: Improper permission checks for forums where you can only see your own threads – reported by Jordan Mussi and StefanT
    • Non Critical: XSS vulnerability on debug page – reported by 1llusion
    • Non Critical: Improper input validation in modcp.php – reported by 1llusion
    • Non Critical: Improper input validation in calendar.php – reported by Jakub Galczyk
  • Fixed issues in 1.6.10
  • Unfixed issues

Please view the 1.6.10 changes on the Docs site for more information about the changes in this version.

Upgrading from 1.6.9 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 12 language files. 25 templates have been changed or added.

If you’re using MyBB 1.6.9

If you’re using MyBB 1.6.8 or lower

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.9 Security Release

Posted on by

MyBB 1.6.9 is now available from the MyBB website and is a security release for the 1.6 series.

What’s added/changed in this version?

It has come to our attention that there is an SQL injection vulnerability in all versions of MyBB, including MyBB 1.6.8. We advise all MyBB forum owners to upgrade their forum as soon as possible.

With thanks to frostschutz and StefanT for finding and reporting these issues.

Vulnerabilities fixed:

  • High Risk: An SQL vulnerability when editing a post
  • Medium Risk: CAPTCHA systems non effective, providing possible brute-force access

Bugs fixed:

  • An issue with the editor not working in Firefox 16 and above

We apologise for any inconvenience.

Upgrading from 1.6.8 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 1 language file (messages.lang.php). There are changes to 3 templates (portal_welcome_guesttext, loginbox & codebuttons).

If you’re using MyBB 1.6.8

If you’re using MyBB 1.6.7 or below

Reporting MyBB Security Vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thank you,

MyBB Team

Using Pirated Mods

Posted on by

Recently we have been made aware of several MyBB plugins circulating around the internet, in particular pirated mods, which are specifically designed to cause malicious harm to their users. One specific example which has come to our attention attempts to delete all the records from your database, and delete your MyBB files. This would obviously have a devastating impact on anyone who happened to install this plugin.

We’d like to remind users of the immense power plugins have which, when used incorrectly, could pose security implications for your forum.  Theme files also can contain backdoor PHP scripts which can grant access to your server.  Therefore, great care should be taken both in terms of which plugins are installed and where the modifications were obtained from. Specifically, nulled or pirated mods pose the biggest threat of all given that the origin of the file is unknown and any sharer could have inserted malicious code.

Even when downloading mods directly from the author we recommend thoroughly researching both the plugin/theme and the author to establish that they are reputable and have a good standing with their customers and users.

If you have any further questions, concerns or examples please don’t hesitate to contact us via the Private Inquiries forum.

Regards, The MyBB Team.

Access to community forums restored, modifications site underway, updates & FAQ

Posted on by

Following on from our We’ll be back soon post yesterday, I just wanted to provide an update on our recovery efforts as well as address a few of the commonly asked questions.

After a comprehensive investigation, including audits of all files on our existing servers as well as an analysis of server and website access logs, we’re happy to confidently say that we do not believe any of our servers were compromised, or our databases accessed.

As you’ve likely noticed, access to the MyBB Community Forums has now been restored. Because we don’t believe the MyBB database was compromised, we have opted to not require users to change their passwords on next login. If you’re having difficulty accessing the forums (for example, if it’s redirecting to http://www.mybb.com, or stylesheets aren’t loading correctly), then please clear your web browser cache and try again.

We’re working on restoring access to the MyBB Mods website as soon as we can, however expect the modifications site take another 24 hours before it can be pushed live.

Our team are also busy working on relaunching the official MyBB documentation, using GitHub Pages. We’re moving away from MediaWiki and wiki-based documentation primarily because we believe our efforts are best focused on maintaining our core website, forums and modifications site rather than managing a slew of third-party applications (this is the same reason why our blog is now powered by WordPress.com). Because GitHub Pages is directly backed to a Git repository, the entire community can still collaborate to our documentation using pull requests.

At this stage, we plan to discontinue the MyBB Ideas site. We believe that through great collaboration on the MyBB Community Forums in our MyBB 1.8 Feature Suggestions and MyBB 2.0 Feature Suggestions forums, together we can build even greater software. It also means there’s one less place to collect feedback from.

We’re taking an overly cautious process with the restoration. If we chose to, we could simply flick all services on again, and have the wiki, modifications site, etc live. Instead, even though we’re confident there was no breach of our servers, we’re still handling the situation if there were. Before anything is relaunched, we’re:

  • Verifying access logs of the site to look for suspicious behavior
  • Verifying the content of the sites by comparing them against previously taken backups (both onsite and offsite, and against backups taken recently and those taken weeks ago) and analysing each and every difference by hand
  • Pushing the content of all websites to our new servers from an offline copy, instead of our old servers
  • Verifying that all of our websites work behind CloudFlare, and implementing caching strategies in CloudFlare to give you even faster page loads

There’s also been a lot of discussion around what legal action we will be taking against those that have attacked us. At this stage, we believe our time and effort is better spent improving and educating users about security, and moving forward with the development of MyBB 1.8, MyBB 2.0, and our rebranding.

Again, we want to thank everyone for their support and patience and look forward to moving onwards and upwards!

Regards,

Chris, Tim, and the rest of the MyBB Team

We’ll be back soon

Posted on by

As most of you who will be reading this are aware, three days ago (beginning the 31st of May) the MyBB.com domain (along with our other domains) were hijacked by a group of hackers (we’re not going to identify them by name but they have been very vocal in claiming responsibility so you should have no problem finding them if you’re so inclined). They also tried to access our server and many other services we use.

At this stage we have access to all our systems back and are in the process of restoring services, however we’re pleased to say that we are also taking this opportunity to retool components of our website and upgrade our server infrastructure.

This blog post will probably be the first of many, but we’ll endeavor to keep you updated as much as possible regarding progress. At this stage we don’t expect all services to be online for at least a week while the new servers are configured and we prepare new components of our website, however this blog is obviously already online and the MyBB home page will be up very soon too.

The story to date

There are still a few missing pieces, but at this stage we have a pretty clear understanding of what happened. Contrary to what has been posted elsewhere, we do not believe social engineering was the culprit, although the hackers did try unsuccessfully to gain access to several of our accounts via this method.

The main incident that lead to the breach was a compromise of Chris’ personal Apple ID (iCloud, etc) account. From there, the hackers were able to reset passwords to our hosting and domain accounts. It’s still not clear how they got access to this account, however they also had numerous personal details about Chris, including contact details and knowledge of at least the last four numbers of his primary credit card.

Fortunately SoftLayer (our host) called Chris when his password was reset which alerted us to the situation unfolding and all public access to the server was shut off soon thereafter. As far we can tell they were not able to log into our server and do not have copies of our databases. We have been very pleased by the response we received from SoftLayer and without their vigilance the situation could have been far worse.

While Chris was trying to reset his passwords to NameCheap (our Domain Registrar at the time) and Apple ID accounts, the hackers even went as far as to remote wipe his iPhone via iCloud to prevent him from having 3G access. Unfortunately they successfully took control of Chris’s NameCheap account and redirected the domain to their defacement page, later we discovered they even tried to transfer the domain.

Unfortunately we did not get the expedited response from NameCheap that we would have hoped for given the severity of the situation, and it was about six hours before we got access to our account back. As a result we have already transferred MyBB.com to another domain registrar with better controls around account security.

Since then we have been planning the recovery effort, including taking the opportunity to improve our infrastructure.  We will be moving to a new server setup, but given our security scare a few months ago we are also auditing the site software we use and only moving what we know is clean to the new server. More details on changes to the site are detailed further down this article.

With regard to why we were targeted, frankly we are baffled by the logic. The group identified MyBB as being targeted because one of our user’s runs an online forum dedicated to hacking. By this same analogy, if someone purchases a car and then uses it to run someone down or damage another’s property, then the manufacturer of the car should be responsible, which is obviously corrupted logic.

The group totes freedom as their cause but by attacking an Open Source project they are undermining freedom in every sense of the word. Anyone is free to download and use our software, no matter if you’re rich or poor, a nurse or a hacker, and the fact they targeted us for this is an utter contradiction of their reasoning.

As many MyBB users will know, we don’t even offer support on our community forums to hacking sites, and there are no exceptions. We can only conclude that attention and notoriety are their true motivations, and that their sense of ethics is a disgrace to the online community. We sincerely hope the perpetrators are brought to justice.

What we’re doing

First and foremost we have adopted two factor authentication wherever possible. As mentioned above, the domain names have already been transferred to a registrar offering two factor authentication, among other security features. We’ll also be adopting two factor authentication on our new servers, and to various internal services. The new servers should improve performance of our website, and CloudFlare has also been setup.

As you might have also noticed, this blog has already been moved from being a locally hosted WordPress installation to being hosted on WordPress.com, which should ensure it is accessible even when our servers are down. We are hoping to make a similar change to the wiki before services are fully restored and as previously announced, development will be moving to GitHub with 1.8. Our goal with moving services offsite is to improve availability, improve maintainability, reduce load on our servers and improve security.

Finally,  although our website infrastructure did not contribute to the intrusion, we are reviewing the security of all our services prior to moving them to our new server to ensure our systems are as secure as they could be.

We thank everyone for their continued patience and support over this difficult time and hope to have everything back online soon.

Regards,

Chris, Tim, and the rest of the MyBB Team

MyBB 1.6.7 Release, Merge 1.6.7 & MyBB 1.8 Development

Posted on by

MyBB 1.6.7 – Security, Maintenance and Feature Release

MyBB 1.6.7 is now available from the MyBB website and is a security, maintenance and feature update.

In 1.6.7 there are 5 new feature updates and over 70 reported issues fixed. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

1.6.7 fixes 5 low-risk security vulnerabilities.

  • SQL injection vulnerability within the Admin Control Panel (ACP) in user search (reported by Nathan Malcolm, MyBB SQA Team)
  • SQL injection vulnerability within the ACP in Mail Log (reported by Nathan Malcolm, MyBB SQA Team)
  • SQL injection vulnerability within the ACP in User Inline Moderation (reported by Jammerx2, MyBB Developer)
  • XSS within the ACP where an orphaned attachment has a malformed filename (reported by Nathan Malcolm, MyBB SQA Team)
  • Full Path Disclosure if malformed forumread cookie is used

ACP vulnerabilities require Administrator permissions and so considered low-risk. We recommend planning your upgrade as quickly as possible to ensure your forum is as secure as it can be.

New features included in 1.6.7 update include the ability to login with a username, an email or both. For more information about new features, please see the Wiki on 1.6.7.

View 1.6.7 Changes in the Wiki

Upgrading from 1.6.6 and Other Versions

Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, including languages files, please make sure you make a change log for these changes so you can make them again once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are also language and theme changes.

If you’re using MyBB 1.6.6

 

If you’re not using MyBB 1.6.6

 

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

MyBB Merge System 1.6.7

MyBB Merge System 1.6.7 is now available on the MyBB website and is a maintenance update to the MyBB Merge 1.6 series.

This release is to ensure that all users of MyBB Merge 1.6 have the latest fixes.

This release fixes several reported issues since the release of 1.6.3, which caused some incorrect functionality of the Merge System. These bugs have been fixed to provide a more stable version of the Merge System for public use.

What’s new in this version?

  • 3 bug fixes (view all)
  • Version jump to 1.6.7 from 1.6.3 to match the current MyBB Version. From now on we’ll do our best to keep these in sync.

This includes some critical fixes for phpBB that caused infinite loops.

MyBB Mascot Update


We recently held our MyBB Mascot Naming Contest.   Many community members proposed names and after a week a poll with the top names was put up.  After another week of voting, the name “Bolt”, after MyBB founder Chris Boulton, was chosen.  Proposed by Mebes Net, we of the MyBB Team feels this name conveys the strength and speed of MyBB very effectively.

We are proud to present to you the MyBB Mascot, Bolt!

MyBB 1.8 – The Bridge to 2.0

Everyone here at MyBB are proud to announce the impending arrival of our next major feature release – MyBB 1.8.

Over the last 2 months we’ve been developing in secret at our Github lair, plotting to once again attempt to take over the forum world with our evil plans and awesome free software and to celebrate the 10th anniversary of DevBB – our supreme overlord predecessor.

1.8 isn’t as big of an overhaul as 1.2, 1.4 or 1.6 upgrades which introduced more than 100 features; this is more of a facelift. We took Justin, our lead designer, and locked him in a room with nothing but bacon and water until he came up with a new default theme which is taken from one of (if not the) most popular theme collections used by MyBB communities across the world; his Apart series. That’s not all – we developed attachable base colours to themes so that creating (and using) multi-coloured themes no longer involve adding 14 separate styles. You add just one. A new default theme for your Admin Control Panel (ACP) is available too.

For more than half of MyBB’s rule of the forum world, our JavaScript has been powered by Prototype. It was a popular library when we started using it but it has fallen behind a more powerful (and popular) rival and so we’ve consigned it to MyBB history; MyBB 1.8 is powered by jQuery.

Two of the most requested features for MyBB will also be heading to 1.8. With our switch to jQuery, along comes a new post editor (yet to be decided) and a Trash Can – or more the ability to recover deleted posts via the Mod CP.

Along with the regular bug fixes and a host of other planned improvements, such as an APC cache handler, being able to make a cup of hot cocoa, separating the plugin list to active/inactive, making some functions a bit easier to use and projecting your forum’s logo onto the face of the Moon, we’ll be working with MyBB gurus to improve performance, plugin integrations and we’re looking into making the authentication to 3rd party software much easier too with a dedicated login datahandler. It doesn’t have to be just gurus though; we’ll be opening up 1.8 to everyone on Github so that they too can fork, improve, update and become one with the MyBB Team.

We’re all very excited about this release and hope you are too! More information will be coming soon but in the mean time please feel free to suggest more improvements in our Suggestions and Feedback Forum!

Thanks,

MyBB Team

MyBB 1.6.6 Security Release

Posted on by

MyBB 1.6.6 is now available from the MyBB website and is a security release for the 1.6 series.

What’s added/changed in this version?

In 1.6.6, 1 major issue and 14 low risk vulnerabilities have been fixed. Only the issues listed below are fixed; a further maintenance release will be available with general fixes to functionality in the near future.

  • Vulnerabilities:
    • Non Critical: Import a non-CSS stylesheet (Theme)
    • Low Risk: CSRF vulnerability on Admin CP logout (Issue #1769)
    • Low Risk: CSRF vulnerability when clearing a stored password (Issue #1824)
    • Low Risk: CSRF vulnerability when removing a buddy (Issue #1825)
    • Low Risk: CSRF vulnerability with Admin CP join requests (Issue #1834)
    • Low Risk: CSRF vulnerability in Group Promotions Enable/Disable
    • Low Risk: CSRF vulnerability in ACP Edit User (Avatar)
    • Low Risk: CSRF vulnerability with activating a user
    • Low Risk: XSS vulnerability when moving an event (Calendar)
    • Low Risk: XSS vulnerabilities in Akismet plugin
    • Low Risk: XSS vulnerabilities in Forum Subscriptions (User CP)
    • Low Risk: XSS vulnerability in Moderator Logs
    • Low Risk: XSS vulnerability in Edit Post
    • Low Risk: XSS vulnerability when editing Announcements

    Thanks to SQA Team Member Nathan Malcolm for finding all of these!

  • Vanishing Announcements in 1.6.5 (Issue #1781, #1785) – with thanks to Paul H and Vini Holden.

For more information on these vulnerabilities, please view the 1.6.6 Changes in the Wiki.

Upgrading from 1.6.5 and Other Versions

Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 1 language file. There is 1 change to themes. Please view the 1.6.6 Changes in the Wiki for more information about these changes.

If you’re using MyBB 1.6.5

If you’re not using MyBB 1.6.5

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thank you,
MyBB Team

Plugin Exploits (Being reported as MyBB 1.6.5 Exploits)

Posted on by

Hello everyone,

We’d like to inform you that two security holes were found in two plugins which are very common on multiple MyBB forums out there. The affected plugins are the following:

[ SEO ] Simple Tag Cloud Plugin (Tags) by Watt
FBConnect (not available on our Mods site) by Nayar

The first was unapproved and a PM was sent to the plugin author and until the author fixes the issue it will remain unapproved on the Mods site.
The second has been updated already and the issue has been fixed. If you’re looking for the fixed version, it is available on the author’s website as well as on the MyBB community forums here.

We strongly advise you to remove the first plugin entirely from your forum and either remove the second one or install the fixed version.
We also recommend you to do the necessary searching for any data that may have been compromised.

On a side note, numerous “exploiting scripts” have been spreading throughout the internet which refer to these two vulnerabilities as if they were vulnerabilities in MyBB itself and that is not true.

Thank you,
MyBB Team