Category Archives: Security

1.6.4 Security Vulnerability

Posted on by

When 1.6.4 was announced almost 3 months ago it was one of the biggest updates MyBB has ever released. It fixed over 100 issues and brought performance improvements for MyBB forums – large or small – across the world. It was also popular for people who were new to MyBB – starting their project for the first time.

Unfortunately, the 1.6.4 release files were contaminated by code that was not meant to be there and could open a security vulnerability on your forum. It only affects those that are running 1.6.4.

We advise that you fix the problem as soon as you can. You can do so by following these instructions:

  • Download the latest release of MyBB.
  • Replace ./index.php (in the root folder of your forum) with the one in the download (./Upload/index.php).
  • Remove the ./install/ folder

OR

  • Download and follow the 1.6.4 Patch Instructions
  • If you are unable to find the affected areas, this issue does not affect you. Otherwise, remove the ./install/ folder.

If you have any problems, please report them in the General Support Forum on the Community. If you have renamed ‘index.php’, for example if you’re using the portal as your homepage, please remember to update the correct file accordingly.

We discovered the extent of this problem earlier today but with the release of MyBB 1.6.5 still being a few weeks away, forums need to be patched to protect against any vulnerabilities. We’re still investigating how our release became contaminated and if we find anything else in the mean time, we’ll be sure to let you know.

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

MyBB 1.6.4 Released – Feature Update, Security & Maintenance Release

Posted on by

MyBB 1.6.4 is now available from the MyBB website and is a feature update, security and maintenance release for the 1.6 series.

What’s added/changed in this version?

In 1.6.4, there are 2 new updates and over 100 reported issues fixed.

Please be aware that not all of the existing problems have been fixed in this version. Because of the size of the updates, these will be fixed in a later release.

The 2 new updates included in 1.6.4 are only small – one globally switches on/off plugins and the other detects whether an Administrator has renamed the Portal to check for file verifications.

Security Updates

There are also 3 security updates for 1.6.4. Overall, they are low risk vulnerabilities as they all require administrator permissions – however, one of these is classed as high risk if a user manages to get into the Admin Control Panel (ACP).

As a result of this, it is recommended that only certain types of variables are used in templates that follow the MyBB Development Standards – although other types may be used it the templates are installed to the database through your plugin, Administrators will not be able to save templates with these variables in.

Theme Artists and Plugin Developers should take a close look at the new changes to see if their work will be affected by the new changes and update them accordingly.

Performance

In 1.6.4, there are a number of performance-related updates. These range from small code changes to caching thread prefixes. More information about these are available on 1.6.4’s page in the Wiki.

Almost everyone should be able to see at least some benefits from these changes.

Upgrading from 1.6.3 and Other Versions

Due to the size of this release and due to release errors earlier in the 1.6 series, all files need to be changed. This is to ensure that you have the latest versions of the software’s files which can be hard to trace from earlier releases.

This upgrade process is the same for any version of MyBB. Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

If you have installed plugins that require changes to core files, you will need to make those changes again.

To upgrade, follow the Upgrading process. The upgrade script is required. There are also language and theme changes.

If you require support for upgrading to 1.6.4, please see the 1.6 General Support Forum.

Changes in 1.6.4

We’ve made a handy reference guide to what’s changed in 1.6.4 in the Wiki. We’ll be doing this for each version in the future too so you can see what we’re working on.

View 1.6.4 Changes in the Wiki.

MyBB Merge System 1.6.1 Update

For those users who have been using Merge System 1.6.1 and earlier, there is an important security update ready for you.

You can read more about it in the 1.6.1 Update Blog Post.

Thank you,
MyBB Team

MyBB 1.6.3 and 1.4.16 Security Update

Posted on by

MyBB 1.6.3 and 1.4.16 are now available to download. They fix 1 high risk vulnerability and 1 low risk vulnerability. We recommend everyone upgrades to this release immediately or patch their boards with the manual patching instructions below.

Thanks to Charlie Somerville and thebod for discovering them. These vulnerabilities are:

In addition to the vulnerabilities, the updates also fix the following issues:

All other outstanding issues will be resolved in the next maintainence release.

For MyBB 1.6

The update to MyBB 1.6.3 also upgrades the Prototype and Scriptaculous javascript libraries to their latest versions. This is to help your MyBB forum work properly with Internet Explorer 9.

MyBB 1.6.2 to 1.6.3 Patch
This patch is only for those users running MyBB 1.6.2. If you’re running an older version of MyBB then please download the full version and update to it.

For help upgrading, see the MyBB Wiki: Upgrading.

Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.

1.6.3 changed files

You are required to run the upgrader for 1.6.3. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.

Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.

If you wish to manually patch your board please download “1.6.3 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.6.3 template patches” and follow the instructions – you must do these for all custom themes you have installed.

1.6.3 patches
1.6.3 template patches

Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.

Changed Files since 1.6.2

  • inc
    • class_core.php
    • functions_search.php
  • install
    • resources
      • mysql_db_tables.php
      • mybb_theme.xml
      • upgrade12.php
      • upgrade17.php
      • upgrade19.php
      • upgrade3.php
      • upgrade5.php
    • upgrade.php
  • jscripts
    • controls.js
    • dragdrop.js
    • effects.js
    • general.js
    • prototype.js
    • scriptaculous.js
    • slider.js
    • thread.js
  • forumdisplay.php
  • index.php
  • misc.php
  • showthread.php

* Red represents files that contain security updates
* Green represents new files added in this release

For MyBB 1.4

For MySQL 5.5 compatibility and IE9 javascript fixes, please upgrade to MyBB 1.6.3. Support for MyBB 1.4 will be ending on 1st July 2011, after which there will be no more security updates for the 1.4 series.

1.4.15 to 1.4.16 Patches
This patch is only for those users running MyBB 1.4.15. If you’re running an older version of MyBB 1.4, and don’t want to upgrade to 1.6 just yet, then please the latest version of MyBB 1.4 from the MyBB Wiki: Versions.

For help upgrading, see the MyBB Wiki: Upgrading.

Please download the attached ZIP archive below and replace the files in your forum directory with those from the ZIP archive.

1.4.15 changed files

You are required to run the upgrader for 1.4.16. After replacing the files above, remove the ‘lock’ file located in forum_root/install/, then visit forum_root/install/upgrade.php and follow the instructions (where forum_root is the web address for your forum). Remember to backup your forum’s files and database before performing this upgrade.

Once the upgrade has completed, visit the Templates & Style area of your ACP – click on Templates on the left and go to the “Find Updated Templates”. Revise and amend all affected templates here, paying attention to headerinclude, index_boardstats and forumdisplay_threadlist.

If you wish to manually patch your board please download “1.4.16 patches” and follow the instructions in that file. You are also required to amend templates to ensure functionality for your board. For this, please download “1.4.16 template patches” and follow the instructions – you must do these for all custom themes you have installed.

1.4.15 patches
1.4.15 template patches

Please remember that applying patches should only be a temporary measure until you can fully upgrade your board. The upgrader is required to run to allow the default templates to be updated with the new security fixes.

Changed Files since 1.4.15

  • inc
    • class_core.php
    • functions_search.php
  • install
    • resources
      • mybb_theme.xml
    • upgrade.php
  • jscripts
    • general.js
  • forumdisplay.php
  • index.php
  • misc.php
  • showthread.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

MyBB 1.6.2 and 1.4.15 – Security Update

Posted on by

MyBB 1.6.2 is a security update to the 1.6 series. It fixes 2 medium risk security vulnerabilities and one low risk issue. We recommend everybody upgrades to this release as soon as possible – or patch their boards with the manual instructions below.

MyBB 1.4.15 is also a security update to the 1.4 series which is affected by the same vulnerabilities.

Thank you to MustLive (Websecurity), MattRogowski and Max Roth for alerting us of these issues.

What’s fixed in this version?

The medium-risk issue reported by Max Roth requires HTML in posts to be enabled in a forum. This issue was fixed as part of Issue #1422. Even if you don’t have HTML enabled in posts, it is still recommended to update to resolve this issue.

MyBB 1.6.1 to MyBB 1.6.2 Patch

This patch is only for users running MyBB 1.6.1. If you are running an older version of MyBB then please download MyBB 1.6.2 from the MyBB site and update to it.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
This update does not require running the upgrader.

The following files have changed since the initial 1.6.1 release:

  • admin
    • modules
      • tools
        • modlog.php
  • inc
    • class_core.php
    • class_parser.php
  • jscripts
    • validator.js
  • member.php
  • modcp.php
  • xmlhttp.php

* Red represents files that contain security updates
* Green represents new files added in this release

changed_files_1602.zip

If you wish to manually patch your board please download “mybb_1601_patches.txt” and follow the instructions in that file.

mybb_1601_patches.txt

MyBB 1.4.14 to MyBB 1.4.15 Patch

This patch is only for users running MyBB 1.4.14 who have updated their forum when 1.6.1 and 1.4.14 Update was released. If you have not made these updates or are unsure whether you have – and you don’t want to upgrade to 1.6 – then please download 1.4.15 from the MyBB site and update to it.

mybb_1414_patches.txt

To ensure users of the 1.4 series have all the recent security updates the following changed files package contains updates since 1.4.13. The changes to files are mentioned below. If you are still using the 1.4 series, then please make sure that all these files have been updated to keep your forum secure (either by updating to 1.4.15, uploading the changed files package, finding differences using a file difference tool or patches from blog posts).

It is heavily recommended that you upgrade to 1.6.

  • admin
    • modules
      • tools
        • modlog.php
  • inc
    • datahandlers
      • post.php
    • class_core.php
    • class_parser.php
    • functions.php
    • functions_search.php
  • jscripts
    • validator.js
  • attachment.php
  • editpost.php
  • forumdisplay.php
  • member.php
  • modcp.php
  • newreply.php
  • syndication.php
  • xmlhttp.php

* Red represents files that contain security updates
* Green represents new files added in this release

changed_files_1415.zip

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

MyBB 1.4.13 Released – Security Patches to MyBB 1.4.12

Posted on by

MyBB 1.4.13 is now available on the MyBB website and is a patch to MyBB 1.4.12 which introduced two regressions related to the security updates in MyBB 1.4.12.

This release is to ensure that all users on 1.4.12 have the proper security patches applied to their forum.

Thank you to Pirata Nervo and Labrocca for alerting us of these issues and to Stefan Esser for assisting us in a patch for Issue #843.

What’s fixed in this version?

This update does not require running the upgrader.
There are no database schema, language string, or template changes in this version.

MyBB 1.4.12 to MyBB 1.4.13 Patch

This patch is only for users running MyBB 1.4.12. If you are running an older version of MyBB then please download MyBB 1.4.13 from the MyBB site and update to it using the general [Wiki: Upgrading] guide.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
changed_files_1413.zip

Alternatively, if you are running MyBB 1.4.11, you may follow the “MyBB 1.4.11 to MyBB 1.4.12 Patch” instructions in the MyBB 1.4.12 announcement and then apply the MyBB 1.4.12 to MyBB 1.4.13 patch above.

The following files were changed since the initial MyBB 1.4.12 release:

  • inc
    • datahandlers
      • post.php
    • functions.php
    • class_core.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

All users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.13) MyBB 1.2 is no longer being supported and security updates for the MyBB 1.2 series ceased as of January 1, 2010.

Thank you,
MyBB Team

MyBB 1.4.12 Released – Security & Maintenance Update

Posted on by

MyBB 1.4.12 is now available on the MyBB website and is a security and maintenance update to MyBB 1.4.11. This will be the last maintenance release of the MyBB 1.4 series. We will still continue to provide security updates for the MyBB 1.4 series.

This release is to ensure that all users on 1.4.11 have the latest fixes, and to patch two medium-risk security issues and a low risk security issue within MyBB.

Thank you to Stefan Esser and Labrocca for alerting us of these issues.

What’s fixed in this version?

  • #309 – Direct access of some files generates PHP errors
  • #374 – editpost editpost_start hook run twice
  • #466 – Last post date after custom merge
  • #556 – Wrong additional groups in ACP
  • #565 – Custom view in browse users error
  • #575 – Redundant Code in inc/class_parser.php
  • #583 – UTF8-conversion fails with PostgreSQL
  • #586 – Posts after updating the attachments of drafts
  • #592 – Forum subrscription displaying always the wrong image
  • #593 – Image upload
  • #594 – portal_pms template not getting cached
  • #597 – $yearsel not defined
  • #598 – Split thread – post icon
  • #604 – Make private event public
  • #606 – Server Statistics – Hostname and hosturl not working
  • #609 – Wrong first day of week in week view
  • #613 – Error is invalid smilie path is used
  • #618 – Alternating trows on profile page
  • #621 – global_pm_alert template typo dismis_notice
  • #622 – Reputation by a deleted user
  • #623 – Upgrade 1.1.18 -> 1.4.11
  • #627 – private_nomessages template not getting cached
  • #632 – Settings not selected if error appears
  • #634 – firstpost of copied thread set to 0
  • #643 – Missing field when fetching latest announcements into portal page
  • #647 – function generate_thumbnail generates warning
  • #650 – Status Icon of Forum not shown on Forum Subscription List
  • #660 – forumdisplay_rules not cached
  • #662 – member.php and $referrals
  • #672 – threadviews task won’t disable from settings change
  • #673 – Typo in member.lang.php $l[‘hide_dob’]
  • #678 – Hard-coded language string in /admin/modules/style/templates.php
  • #684 – Typo in postbit when ignoring users
  • #685 – Akismet “unmark” does not reduce number of “akismetstopped” field.
  • #688 – Old avatars are not deleted
  • #689 – Usercp.php + Modcp.php – XHTML 1.0 Problem ($bdaymonthsel)
  • #703 – Mass Mail Auto Generated Text Version
  • #716 – Error reads “[WRITE] Unable to slave database”, should be select
  • #720 – UTF8 conversion causes mysql error on blob/text fields
  • #722 – Group Join Requests From Guests
  • #727 – Converting a forum with threads to a category should be disallowed
  • #728 – Post Edit bypasses max. [img] MyCodes per Post
  • #749 – Portal “Since then, there have been:” counts unapproved threads and drafts
  • #750 – Theme importing ignored error
  • #759 – Stars are shown on user profile even if they are set to 0 for the group
  • #764 – attachment MyCode isn’t parsed in feeds
  • #774 – mysqli_pconnect function not exists
  • #778 – db reconstruction in inc/functions.php $config check fails
  • #791 – Ratings column of forum display ignores group settings
  • #794 – Badwords preg_quote fix
  • #802 – Stars are shown in Postbit even if they are set to zero and no image is linked
  • #809 – Unviewable threads showing on portal
  • #810 – Portal post shows smilies even when set not to in post
  • #812 – allow [img] in posts depends on MyCode being allowed
  • #816 – Duplicate htmlspecialchar in inc/functions_online.php
  • #821 – syndication.php errors
  • #822 – Use of $_POST in ./xmlhttp.php
  • #835 – MyBB, dl(), and PHP 5.3.x – no dl() in many 5.3.x releases
  • #836 – Debug code left in inc/class_mailhandler.php
  • #843 – Improvements to PHP’s mt_rand RNG seeding
  • #849 – We can set date of birth as future date
  • #852 – CSRF issue in usercp2.php
  • #862 – Rebuilding Attachment Thumbnails Plugin Hook Name
  • #870 – Missing warning messages
  • #871 – Datahandler merge ignores updating post message variable

This release has been tested by our Software Quality Assurance group.

This update does require running the upgrader.
There are database schema, language string, or template changes in this version.

MyBB 1.4.11 to MyBB 1.4.12 Patch

This patch is only for users running MyBB 1.4.11. If you are running an older version of MyBB then please download MyBB 1.4.12 from the MyBB site and update to it using the general [Wiki: Upgrading] guide.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
changed_files_1412.zip

A manual patch file is not being offered for this release due to the multitude of changes required to implement the security fix. We apologize for any inconvenience this causes.

The following files were changed since the initial MyBB 1.4.11 release:

  • announcements.php
  • calendar.php
  • captcha.php
  • editpost.php
  • forumdisplay.php
  • managegroup.php
  • member.php
  • modcp.php
  • newreply.php
  • newthread.php
  • portal.php
  • private.php
  • reputation.php
  • showthread.php
  • syndication.php
  • usercp.php
  • usercp2.php
  • xmlhttp.php
  • jscripts
    • inline_moderation.js
  • install
    • resources
      • mybb_theme.xml
      • upgrade16.php
  • admin
    • index.php
    • modules
      • forum
        • management.php
      • user
        • mass_mail.php
        • users.php
      • config
        • mod_tools.php
        • settings.php
        • smilies.php
      • tools
        • recount_rebuild.php
        • system_health.php
      • style
        • templates.php
        • themes.php
  • inc
    • class_core.php
    • class_custommoderation.php
    • class_mailhandler.php
    • class_moderation.php
    • class_parser.php
    • db_mysqli.php
    • functions.php
    • functions_image.php
    • functions_online.php
    • functions_serverstats.php
    • functions_upload.php
    • functions_user.php
    • init.php
    • plugins
      • akismet.php
    • languages
      • english
        • global.lang.php
        • member.lang.php
        • messages.lang.php
        • warnings.lang.php
        • admin
          • forum_management.lang.php
          • user_groups.lang.php
    • datahandlers
      • post.php
      • user.php
    • cachehandlers
      • eaccelerator.php
      • memcache.php
      • xcache.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

All users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.12) MyBB 1.2 is no longer being supported and security updates for the MyBB 1.2 series ceased as of January 1, 2010.

Thank you,
MyBB Team

Important Update: April 16, 2010

If you applied the MyBB 1.4.12 update before April 16, 2010 7:00 UTC we recommend you redownload the changed file package and reupdate the inc/functions.php file to your forum. The change fixes an issue identified in the previous hot patch relating to the random number generator. We are sincerely sorry for the inconvenience caused by this.

Thank you for your cooperation.

MyBB 1.4.11 Released – Minor Patch & Security Update

Posted on by

MyBB 1.4.11 is now available on the MyBB website and is a minor patch update to 1.4.10.

This release is to ensure that all users on 1.4.10 have the latest patches, to fix a small and rare bug that with malicious intent can be used to assist a Denial-of-Service attack, and to patch a low security issue that can allow a user to check for file existence outside of the web root.

Thank you to Labrocca and Secunia (through a third party) for alerting us of these issues.

What’s fixed in this version?

This release has been tested by our Software Quality Assurance group.

This update does not require running the upgrader.
There are no database schema, language string, or template changes in this version.

MyBB 1.4.10 to MyBB 1.4.11 Patch

This patch is only for users running MyBB 1.4.10. If you are running an older version of MyBB then please download MyBB 1.4.11 from the MyBB site and update to it using the general [Wiki: Upgrading] guide.

Please download the attached ZIP archive and replace the files in your forum directory with those from the ZIP archive.
changed_files_1411.zip

If you wish to manually patch your board please download “mybb_1410_patches.txt” and follow the instructions in that file.
mybb_1410_patches.txt

The manual patch set instructions only fixes the security vulnerabilities and is only made available to temporarily secure your forum until you have time to run the complete upgrade.

The following files were changed since the initial MyBB 1.4.10 release:

  • admin
    • modules
      • style
        • templates.php
      • tools
        • backupdb.php
      • user
        • users.php
  • inc
    • datahandlers
      • event.php
      • user.php
    • class_core.php
    • class_error.php
    • class_moderation.php
    • functions_upload.php
    • functions_time.php
    • tasks
      • backupdb.php
  • calendar.php
  • usercp.php

* Red represents files that contain security updates
* Green represents new files added in this release

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

MyBB 1.2.14 Patch

Please follow step #1 in the mybb_1410_patches.txt file as listed above.

Please note all users of the 1.2.x series are urged to upgrade to the latest release of MyBB. (1.4.11) MyBB 1.2 is no longer being supported and security updates for the MyBB 1.2 series will only last through December 2009.

Thank you,
MyBB Team

Securing your MyBB Installation

Posted on by

There are many things you can do to keep your MyBB Installation secure – the below list contains 5 basic ways to make sure your MyBB Forum is as secure as possible. I’ve tried to keep it as simple and concise as possible. Leave a comment if you don’t understand and we’ll clarify.

  1. Keep your MyBB Software Up-To-Date – Always make sure your running the latest version of MyBB. Using the Version Check tool from your Administration Control Panel you can always check for the latest version of MyBB and latest announcements.
  2. Sign up to the MyBB Mailing List – By signing up to the MyBB Mailing List you can receive notification of important MyBB updates and releases, allowing you to update your forum in a timely and fashionable manor.
  3. Rename your “admin” directory – Renaming your admin directory to something else will greatly reduce the risk of someone being able to hack their way into you Administration Control Panel.
    1. Using an FTP Program navigate to your forum directory.
    2. Find the ‘admin’ directory and rename it to something less obvious. If you want to be really secure you can use an online program to generate a name for you. For example: http://www.pctools.com/guides/password/
    3. Now that you’ve renamed your admin directory we need to update the configuration file so MyBB knows what it is called. Navigate to your ‘inc’ directory and open up config.php using a Text Editor such as WordPad.
      1. In config.php Find:

        $config['admin_dir'] = 'admin';

      2. Replace with the new admin name (where admin-name is the name of the new admin directory you set):

        3. $config['admin_dir'] = 'admin-name';

    4. Save the file on your server.
  4. Backup Regulary – Backing up your forum regularly is the best defense you can have against hackers. At least once per week! MyBB Offers a Backup solution in the Administration Control Panel under Backup Database. For more information and alternative ways see our wiki: http://wiki.mybboard.net/index.php/Database_Backup. (Note: MyBB 1.4 allows for automatically backing up your database.)
  5. Keep MySQL, PHP, and Apache Up-To-Date – Hackings of your forum aren’t always caused by exploits in MyBB. Often hosts are running months old versions of MySQL, PHP, Apache, and even other programs and extensions riddled with security exploits. If you find your host is running an old version urge them to upgrade as soon as possible. If you own your own server you can respectively find updates at http://mysql.com, http://php.net and http://www.apache.org.

We’ll have another, more technical blog post on security for all of you IT pros (or in training, of course) later on.