MyBB 1.8.29 Released — Security Release

MyBB 1.8.29 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: ACP Settings management RCE (advisory) — reported by Xiangwen (Evan) Yu

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.28 Released — Security & Maintenance Release

MyBB 1.8.28 is now available, and is a security & maintenance release.

This version resolves discovered bugs and regressions, and addresses known PHP 8 compatibility problems.

This version enables validation of HTML code generated by the MyCode parser — check the Documentation page and previous announcement for more details.

  • 1 security vulnerability addressed:

    • Medium risk: ACP Template Name XSS (advisory) — reported by Andrey Stoykov
  • 28 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.27 Released — Maintenance Release

MyBB 1.8.27 is now available, and is a maintenance release.

This version i.a. enhances the attachments UX, brings pagination to more ACP pages, adds better thread view counting options, and improves performance and stability.

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

Looking to the Future

As we near the release of MyBB 1.8.27, we’re starting to look towards the future of the Project and where we’re headed. In this post, we’ll lay out our plans going forward.

1.8.27 Is a Big Release

The upcoming 1.8 maintenance release is shaping up to be the second biggest in the series, with over a hundred Issues already resolved.

Among others, we have changes to how the mail queue is processed, the addition of some new PDO based database drivers for MySQL and PostgreSQL, some additional plugin hooks, pagination added to some ACP modules, an alteration to exclude bots and spiders from increasing thread view counts, enhanced the attachments upload user experience, and much more!

We’ve also added some other quality of life enhancements behind the scenes, such as some automated tools to check PHP syntax for all Pull Requests and Commits to the GitHub repository and some improvements to our support for PHP 8.0.

The release has been a long time coming, but it’s now just around the corner. I’d like to take this opportunity to thank all of our wonderful contributors, and to ask a favour: if you can, please test the current code as much as you can! We want to make sure that 1.8.27 is a rock solid release. As usual, once the final Pull Requests are merged, you will find a pre-release thread in the 1.8 Development forum.

The Future of 1.8

With 1.8.27 being such a large release, we’ve been thinking about the future of where MyBB is headed.

As such, we’ve decided that MyBB 1.8.27 will be the last major release of MyBB 1.8.

From this point forwards, the 1.8 series shall only receive security fixes and bug fixes for critical bugs that break core functionality.

The reasoning for this change is simple: we need to focus all of our limited resources on one single task – namely, getting MyBB 1.9 released.

MyBB 1.9

MyBB 1.9 is something we’ve been talking about for a long time (too long, a lot of us would say).

We’ve been working on it side-by-side along with supporting the MyBB 1.8 series, which has unfortunately meant the new release has only had limited attention paid to it.

With 1.8.27 being the last big 1.8 series version, all attention will now be turned to 1.9. There will be a freeze made to the merging of any Pull Requests to the project for a period of roughly two weeks in order to finalise the rebase of MyBB 1.9 to incorporate all of the changes present in 1.8.27.

Once this is complete, attention will turn to the following tasks:

  • Scrutinising all new templates to ensure that all changes made to 1.8 in recent releases are reflected in the new templates.
  • Tracking down any remaining usages of the old $templates based code for templates.
  • Writing the ACP management module for the new template system.

Once these tasks are complete, we’ll be at the stage of beginning testing the release in full. At that point, we’ll put a demo install online for everybody to play with, which will reset every day at midnight. This should give everybody a chance to help us debug the release and polish it up.

An Apology and a Thanks

On a final personal note, I’d like to apologise to the Community for the severe lack of progress with the Project and communication from us.

When I joined, forums were booming and MyBB in particular was abuzz with activity. We had a large bustling Team with members from all over the world contributing many changes and improvements. I’ve watched the Project go from MyBB 1.2 to 1.4; from 1.4 to 1.6 and 1.6 to 1.8. Over that time, things have changed a lot! The rise of social media and smartphones have changed the landscape of internet communities significantly.

Unfortunately, with these changes we’ve seen quite a decline in the progress we’ve made with the Project recently. I wish we had an easy fix to this and we could go back to the activity levels that we’ve seen before, and if anybody has any concrete ideas we’d be very happy to hear them in a constructive manner.

I’d like to take the opportunity to thank everybody who has stuck with us over the years and contributed in any way — be it via financial support on OpenCollective; via bug reports; via Pull Requests; via providing support to other members of the Community; or via any other means. Without you, MyBB simply would not exist.

MyBB 1.8.26 Released — Security Release

MyBB 1.8.26 is now available, and is a security release.

  • 6 security vulnerabilities addressed:

    • High risk: Nested Auto URL persistent XSS (advisory) — reported by Simon Scannell & Carl Smith
    • Medium risk: Theme properties SQL injection (advisory) — reported by Simon Scannell & Carl Smith
    • Medium risk: Poll vote count SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Forum Management SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Usergroups SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: Custom moderator tools reflected XSS (advisory) — reported by Devilshakerz (MyBB Team)

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.25 Released — Security Release

MyBB 1.8.25 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: Nested Email MyCode Persistent XSS (advisory) — reported by Igor Sak-Sakovskiy

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.24 Released — Security Release

MyBB 1.8.24 is now available, and is a security release.

After running the upgrade, make sure to update the version attribute in the codebuttons template for non-default themes.

  • 1 security vulnerability addressed:

    • High risk: MyCode message formatting XSS in visual editor (advisory) — reported by Murphy

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.23 Released — Security & Maintenance Release

MyBB 1.8.23 is now available, and is a security & maintenance release.

This release includes added support for hCaptcha, reCAPTCHA v3, APCu, Redis, improvements related to ACP’s Thread Prefixes management, UTF-8 search, performance, and updates jQuery to 3.5.1.

Themes: content of global.css stylesheet may need updating (#3977).

Extension developers: always use verify_post_check() for my_post_key token verification (#4022); positions of some hooks were changed (#3648); the banned datacache was removed (#3878).

  • 1 security vulnerability addressed:

    • Medium risk: Anti-CSRF token disclosure in online status location — reported by Mipher
  • 101 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.22 Released — Security & Maintenance Release

MyBB 1.8.22 is now available, and is a security & maintenance release.

Note: this version removes the discontinued Yahoo profile field, which may have been customized for other purposes.

  • 5 security vulnerabilities addressed:

    • High risk: Installer RCE on settings file write — reported by yelang123 of Stealien
    • Medium risk: Arbitrary upload paths & Local File Inclusion RCE — reported by CNCERT
    • Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data — reported by Devilshakerz of MyBB Team
    • Low risk: Open redirect on login — reported by Jyoti Raval of Qualys
    • Low risk: SCEditor reflected XSS — reported by Cillian Collins, bl4ckh4ck5
  • 36 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.21 Released — Security & Maintenance Release

MyBB 1.8.21 is now available, and is a security & maintenance release.

This version includes updated jQuery and SCeditor, JSON Syndication format, improved PostgreSQL support, improved PHP >= 7.1 compatibility, improved search function reliability. See information on SCEditor-related theme updates.

  • 6 security vulnerabilities addressed:

    • High risk: Theme import stylesheet name RCE — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
    • High risk: Nested video MyCode persistent XSS — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
    • Medium risk: Find Orphaned Attachments reflected XSS — reported by Simon Scannell of RIPS Technologies
    • Medium risk: Post edit reflected XSS — reported by adm1nkyj of ENKI
    • Medium risk: Private Messaging folders SQL injection — reported by Alex of DiscoveryGC
    • Low risk: Potential phar deserialization through Upload Path — reported by Simon Scannell of RIPS Technologies
  • 39 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team