Reporting Bugs and Issues and New Development Changes

Posted on February 5, 2014 by Tom Moore

As we move closer to the first beta release of MyBB 1.8 the MyBB Team have been hard at work streamlining some of our behind-the-scenes services and workflows.

Changes to Development

A while ago we mentioned moving to a GitFlow workflow over at our GitHub repository. If you’re interested in helping us develop everyone’s favourite forum software take a look at our new Development Workflow and how you can get involved.

MyBB 1.6.x will now start using this workflow. MyBB 1.8.x will start using this when it reaches its first beta phase.

Timed Releases

With our new workflow the master branch in our repository should always be production ready. While only the latest release, available from MyBB.com, is supported on our support forums this allows us to provide set dates for bug fixes and maintenance releases.

You should see new MyBB releases every two months from January 2014 regardless of how many issues are resolved. So you can expect 1.6.13 in March ‘14, 1.6.14 in May ’14 and so on. There is no limit to how many versions we’ll have in the 1.6.x series until its EOL date.

Security releases remain unaffected and patches/releases are created whenever high risk vulnerabilities are reported and fixed.

Reporting Bugs and Issues in MyBB 1.x

One of the last remaining legacies of MyBB’s development cycles, Redmine, is now officially retired and no new members or issues can be created.

Instead, you can now report bugs and issues you find in MyBB in two ways: via the Community Forums (in the 1.6 Bugs & Issues forum or the 1.8 Bugs & Issues forum) or directly at GitHub.

In the near future we’ll be moving all existing open issues to GitHub and archiving Redmine. At the moment existing users there can still comment and act on issues.

Becoming a Contributor

The MyBB Team will also be moving development discussions about the core into the open development sections on our Community Forums. To be able to start new threads and reply to these discussions you need to join our new Contributor group.

More details can be found in the Joining the Contributor Group thread.

Moving 1.8 to Beta

Finally, we’re almost there. After almost 2 long years the MyBB Team have been busy finishing up the last remaining roadmap items for the first beta phase of MyBB 1.8.

Even at this exciting (and long overdue) stage there are still many tasks left to complete before you should be using 1.8 on your live forum.

Why not download a copy of MyBB 1.7 today and give it a test drive on your localhost – and let us know what you think!

MyBB 1.6.12 Released – Security & Maintenance Release

Posted on December 16, 2013 by StefanT

MyBB 1.6.12 is now available from the MyBB website and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 4 vulnerabilities and 10 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

Vulnerabilities:
- Medium Risk: A SQL vulnerability when editing smilies in ACP – reported by ChALkeR
- Medium Risk: A SQL vulnerability when deleting posts with Akismet in ACP – reported by ChALkeR
- Medium Risk: A XSS vulnerability in video MyCode – reported by ChALkeR
- Low Risk: A XSS vulnerability in smilie popup – reported by Spenzert
Bugs fixed:
- MyCode parser adds new lines since 1.6.11
- Some plugins throwing errors due to usage of unsupported language file calls since 1.6.11
- Uploading attachments may fail when safe mode is enabled
- Promotion task option “weeks” doesn’t work properly
- Issue with queries not being executed in the correct order on logout
- #2196 Thread Prefix altered via Tamper Data
- #2251 Reputation doesn’t carry over when merging users
- #2267 See other’s posts in a “see own post forum” through archive
- #2275 Mod Log error when posting new thread
- Adding support for 4-Byte UTF-8 Unicode Encoding in MySQLWhen MySQL 5.5.3 or above is used a new option to convert the tables to 4-Byte UTF-8 Unicode Encoding is available in the “UTF-8 Conversion” page in the Admin Control Panel. This allows to store unicode characters with 4 bytes. If you don’t know what we are talking about you probably don’t need it. PgSQL and SQLite can store such characters by default.

Information on upgrading, template changes and language changes can be found on the Docs site.

Please note, that you do not need to run the upgrade script for this version.
There are no database schema changes in this version.

Upgrading from 1.6.11 and Other Versions

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is not required. There are changes to 2 language files. No templates have been changed or added.

If you’re using MyBB 1.6.11

Download and use the Changed Files Package (MD5: e39fbb0a8fcea856ed533c7d68869226)

Follow the Docs Upgrading Instructions

If you’re using MyBB 1.6.10 or lower

Download and use the full 1.6.12 Release Package (MD5: f1e6e5f5e9a835a0fad83173d70b26cc)

Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thanks,

MyBB Team

MyBB 1.6.11 Released – Security & Maintenance Release

Posted on October 8, 2013 by Nathan Malcolm

MyBB 1.6.11 is now available from the MyBB website and is a security and maintenance release.

Important Security Patches

It was reported to us by Philly that a user was able to register on his forum with three ’emoji’ characters which led to the user becoming “unregistered”. After looking in to this issue we discovered it was more complex than originally thought.

The technical explanation is MySQL’s UTF8 implementation only supports up to 3 bytes per character. When someone tries to insert a string containing a 4 byte utf8 character in to the database, MySQL truncates the string immediately before the 4 byte character. Not only does this affect security, it affects the user’s experience as half their post or private message could be lost without them knowing why.

The vulnerability was exploited by a user registering on a forum with a username consisting of only 4 byte UTF8 characters. As I explained before, MySQL truncates the string before the first occurrence of a 4 byte UTF8 character which led to the username column becoming empty. When someone sent a PM it would be automatically sent to the nameless user and they would be able to read it.

This security issue affects MySQL databases with a utf8_general_ci collation (This may also affect utf8_unicode_ci collations too). If you’re using a SQLite or PostgreSQL database you’re not affected by this.

What’s added/changed in this version?

This release fixes 5 vulnerabilities and over 65 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

Vulnerabilities:
- High Risk: Authorization bypass vulnerability within the PM system – reported by Philly
- Medium Risk: Accounts without login keys could be hijacked – reported by StefanT
- Low Risk: Weakness within the generate_post_check() function – reported by Nathan Malcolm
- Low Risk: Anonymous statistics may not always be anonymous – reported by Nathan Malcolm
- Low Risk: Database backups are exposed in logs – reported by Nathan Malcolm
Fixed issues in 1.6.11
Unfixed issues

Please view the 1.6.11 changes on the Docs site for more information about the changes in this version.

Upgrading from 1.6.10 and Other Versions

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 4 language files. 5 templates have been changed or added.

If you’re using MyBB 1.6.10

Download and use the Changed Files Package (MD5: e48c948cbdeef2cea756f88874d84ceb)

Follow the Docs Upgrading Instructions

If you’re using MyBB 1.6.9 or lower

Download and use the full 1.6.11 Release Package (MD5: 918be9675d3d50c63bfe4c6cbf17fd0f)

Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

Thanks,

MyBB Team

MyBB Merge System 1.6.10

Posted on May 19, 2013 by Tom Moore

MyBB Merge System for 1.6.10 is now available from the MyBB website and is a maintenance update to the MyBB Merge 1.6 series.

This release is to ensure that users of the MyBB Merge System are able to upgrade and continue to use MyBB 1.6.10.

If you are using or looking to upgrade to MyBB 1.6.10 it is imperative you use this version of the Merge System.

Development Updates

The MyBB Team are working hard to create and update modules for the MyBB Merge System. More information is coming soon!

MyBB 1.8 Tour: Roadmap

Posted on April 26, 2013 by Tom Moore

MyBB 1.8 is the next minor release for the 1.x series. The aim of this release is to introduce a level of standardisation and organisation that MyBB has previously lacked and to bring the series into line with other products and services that we hope to bring to you in the near future.

1.8 is a huge leap forward for the 1.x series. It will introduce some powerful new features while also providing a stable forum solution for your community for years to come. It will also allow us, the MyBB Group, to focus on the next generation of our software – the anticipated 2.x series.

Status

Due to the extended development and testing phase of 1.6.10, as well as the usual lull in activity due to workload, exams and holidays, MyBB 1.8 isn’t as far along its roadmap as we would like. Naturally we are disappointed but we remain committed to creating and providing one of the most advanced free forum software packages available.

Further to this we are, as a group, undergoing huge changes to how we work to help make releases quicker. These past 12 months has seen an insane amount of work completed by our team, much of which is behind-the-scenes, and we hope to bring news of this to you very soon.

With updates in mind, you can now find the MyBB 1.8 Roadmap on our community forums. This thread will be kept up to date with the latest news, features and bug fixes that are happening during its development.

Release Date

As always, MyBB 1.8 will be released when we feel it is ready. We opened our GitHub project to the public so that anyone – not just the MyBB Team – can help with development of the 1.x series. Even if you can’t code, anyone can download both branches (1.6 & 1.8) to help test bugs and offer suggestions for improvements. Alongside our roadmap you can keep up to date with the project and see what is coming next.

1.8 is not feature locked at this moment in time. However, we don’t plan on introducing further major overhauls to help avoid plugin and theme incompatibilities.

Joining the Team

There has never been a more exciting time in MyBB’s history; with 1.6 ready for new technologies, 1.8 on the way and starting 2.x soon (which is looking absolutely awesome) 2013 is already proving to be a busy year. If you feel you have got what it takes to be a dedicated volunteer for the project we’d love to have you on the team!

We’re currently looking for developers for the 1.x series, SQA team members and members for our new Resources Team – who will be focused on managing our community services. If you are interested in any of these PM a staff member, post an application in our Private Inquiries forum or send us an email.

MyBB 1.6.10 Released – Security & Maintenance Release

Posted on April 22, 2013 by StefanT

MyBB 1.6.10 is now available from the MyBB website and is a security and maintenance release.

What’s added/changed in this version?

This release fixes 7 vulnerabilities and over 95 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version.

A considerable amount of effort has been put in to MyBB 1.6.10 to fix a myraid of issues with PHP 5.4. This is the main reason why the release has been delayed until now. MyBB 1.6.10 should now be compatible with PHP 5.4 hosts.

Vulnerabilities:
- Low Risk: Potential SQL Injection when optimizing the database – reported by Jakub Galczyk
- Low Risk: Potential SQL Injection when creating the database backups – reported by StefanT
- Low Risk: Potential XSS vulnerability in theme name – reported by pandaa
- Low Risk: Improper permission checks for forums where you can only see your own threads – reported by Jordan Mussi and StefanT
- Non Critical: XSS vulnerability on debug page – reported by 1llusion
- Non Critical: Improper input validation in modcp.php – reported by 1llusion
- Non Critical: Improper input validation in calendar.php – reported by Jakub Galczyk
Fixed issues in 1.6.10
Unfixed issues

Please view the 1.6.10 changes on the Docs site for more information about the changes in this version.

Upgrading from 1.6.9 and Other Versions

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 12 language files. 25 templates have been changed or added.

If you’re using MyBB 1.6.9

Download and use the Changed Files Package (MD5: e1e3d8db4a8ca06c527ff5692cf2ca24)

Follow the Docs Upgrading Instructions

If you’re using MyBB 1.6.8 or lower

Download and use thefull 1.6.10 Release Package (MD5: 8243d6788a92b7ffa921f131f4dcc84f)

Follow the Docs Upgrading Instructions

Reporting MyBB security vulnerabilities

Thanks,

MyBB Team

Getting Involved: MyBB GitHub Now Available

Posted on January 23, 2013 by Tom Moore

Back in June 2012, after our MyBB.com domain was hijacked, we removed public access to our development repositories and moved to GitHub.

Today we are pleased to announce that our main repository, where the 1.x series is developed, is now available to the public!

Visit the MyBB repository on GitHub →

The Basics

The mybb repository consists of 3 main branches: Master, Stable and Feature. These branches contain a different set of code depending on the name of the branch.

At the moment of writing this post:

Master contains code that has been (or is to be) publically released (currently 1.6.9)
Stable contains work and bug fixes for the next minor version of MyBB (so 1.6.10, 1.6.11 etc)
Feature contains all our work on the next feature version of MyBB – 1.8

Please note that, although all this work is available to you, MyBB only officially supports the latest release. Stable and Feature code may contain partially-committed features which are broken, incomplete or may never make it to public release and for these reasons we do not recommend using either of these branches on your own forums.

They will NOT be supported by the Support Team.

For Developers

Access to our repository provides plugin and theme developers the opportunity to work with the latest code. We hope members of our community, and those interested in our project, become more closely involved with MyBB’s development.

Cutting edge development is designed for advanced users only. While we will try and support you with your work MyBB can’t provide support for Git or GitHub. We’re working on improving our documentation about development.

About MyBB 1.8 Alpha

With the opening of our repository MyBB 1.8 is now publically available via the Feature branch. Please note that this only contains a handful of optimizations, features and changes that we are going to implement into this series.

Major features, such as the Report Centre, Spam Centre and our jQuery conversion are just starting to be worked on but accessing 1.8 should, however, give you an idea of the direction we’re heading in and what we’re trying to achieve with this version of MyBB. It should also allow developers to keep on track with what changes we’re making and, with that in mind, we do encourage anyone interested in working with 1.8 to get involved or get in touch via the 1.8 sections on our forum (coming soon).

Getting Involved

To get involved with MyBB development you will first need a GitHub account. Then, follow these steps:

Fork the repository
If you want to fix a bug – switch to the stable branch
If you want to work with 1.8 – switch to the feature branch
Make your changes (ensuring you follow the MyBB Development Standards) and push them to your forked repository
Send us a pull request via GitHub with your changes and make sure you reference the issue ticket number your changes relate to (update the ticket too to tell us you’ve fixed it)
SQA will provide feedback and, if it passes verification, your changes are merged into MyBB

GitHub Issues to replace Redmine

At the moment MyBB uses Redmine to power our issue tracker. Over time, we will be migrating to use GitHub’s inbuilt Issues tracker to provide closer integration between the repository and reported issues. It should also create a one-point resource for all development.

We’re starting this migration with MyBB 1.8. If you find a bug or problem within the feature branch you should first report it in the MyBB 1.8 Bugs & Issues forum. This allows members of the community to discuss the issue and confirm that it is, in fact, a bug. Once confirmed, a member of the MyBB Team will use a clever custom plugin (developed by Nathan Malcolm) to move the issue to GitHub for developers to work on a fix.

The new workflow eliminates the need for a separate account on Redmine and should allow more members to contribute towards development.

The MyBB 1.8 sections on the Community Forum will be available soon. In the mean time, please use the MyBB 1.6/1.8 Suggestions & Feedback forum.

Summary

There is a lot of new information here but it’s just the start of a new journey for MyBB and our community. By improving reporting methods, making it possible for non-team members to contribute and continuing to work on our new series we feel confident that MyBB will continue to be the best free forum software for years to come.

With thanks,

The MyBB Team

MyBB 1.8 Tour: The Retirement of Supertux

Posted on August 21, 2012 by Tom Moore

As MyBB approaches its 10th-year anniversary it’s quite easy for us to dwell on history. Even with the changes we’re working on in MyBB 1.8 you can still compare the early versions of our product to our next major release and see that they are made from the same group of people. Despite the dozens of Developers, SQA Testers, Support Team members, PR guys and Management we’ve had over this time, who have each made their mark in their own way, the consistency of MyBB as a forum system at its core is one of the fundamental mantras of the MyBB Group.

With that in mind, whenever we do come to develop around a feature, we’re cautious to remove the legacy it might leave behind. It is often a tough decision between moving forward and embracing something new and doing what we know. MyBB 1.8 gives us a great chance to look around and research how to improve these features for our users; with around 40 planned research projects into different areas of MyBB we’re aiming to bring a higher level of usability and functionality to your forum.

Avatar Changes

With Gravatar, an avatar hosting service, being integrated into WordPress, Redmine and GitHub (alongside other websites and many 3rd party addons for other software) it brings together an opportunity for us to provide a consistent platform for users to have the same look wherever they go. In MyBB 1.8 you can now use your Gravatar email in the Avatar URL field. Options in the ACP allow Administrators to control the content of avatars with Gravatar’s age-based rating systems.

The MyBB 1.8 Change Avatar

Alongside Gravatar is our new format_avatar function. This introduces the ability to pass a user’s avatar information to a single function to work out the correct dimensions to display on the page; it also means we aren’t parsing the same avatar twice for the same user on the same page. If the user has no avatar set Administrators are able to set a default avatar from the ACP to use instead.

These changes do come with some sad news; in MyBB 1.8, we’ve removed the avatar gallery feature. We’ll all be disappointed to see the end of Supertux and Mr Spam but we thought it best to keep a clear and simple method to change user avatars in which the avatar gallery was a much non-used feature to the majority of forums.

News and Version Check Changes

One of the main aims of MyBB 1.8 is to help improve the services we offer to our own users. This involves keeping users up to date about what’s happening and new versions of MyBB.

News Feed in the ACP

In the ACP, we’ve introduced a small news feed into the Dashboard. We’ve also moved the Version Check, which used to have its own section, into the Dashboard too so that all updates are in the same place right in front of administrators. A new task is to be added to regularly check for any updates (versions and news) rather than relying on users to catch the ‘Your last version check was…’ message that may otherwise be easily missed.

The Little Things

Some of the other, smaller changes to MyBB 1.8 come to fix those trivial things people may (or may not) have noticed. These include removing the option to rate your own thread and changing trim() in templates to rtrim() so that those with OCD can create pretty source code for their themes.

We’re also looking to provide public access to our GitHub repositories in the very near future where a few problems have stopped us from doing so sooner. As soon as the MyBB 1.8 theme changes are ready we’ll also be making that project available too – alongside development standards for non-team members for those who want to get involved in helping us create the best free forum software.

Changes on the Team

Many will have noticed some changes on the team recently. We’ve welcomed back on-board Polarbear541 to our SQA Team and StefanT and Nathan Malcolm have moved over from SQA to the Development Team. All have quickly jumped into their new roles and we’re looking forward to their contributions.

Joining the Team

Being apart of the MyBB family and developing the future of forum software is no small task. Being volunteers takes dedication and patience as well as the skills to pull off your role. Take a look at Joining the Team, and if you meet the descriptions, send us an application – we’d love to have you on the Team!

MyBB 1.8 Tour: July Update

Posted on July 11, 2012 by Tom Moore

Since we announced MyBB 1.8 back in April work towards making a public beta has been slow. This time of year is traditionally the busiest for the team members with exams, workloads and personal projects – not to the mention most of us enjoying the summer (or lack of, in some cases!) – often taking over from our usual MyBB duties. Where we were once working on the code every day there has been weeks without anything being done at all. This is, unfortunately, the perils of volunteer work.

We know you’re all just as excited about MyBB 1.8 as we are, and we haven’t told you everything that is changing yet, so we’re stepping it up a gear to put it all together as fast as we can without compromising our new features. We’ve tried setting deadlines (and failing miserably) and I know you’re sick of the usual ready-when-it’s-ready story so all I can say is please bear with us. We’ll be working hard to bring you this feature update and that starts with our move to GitHub.

Git Migration

Part of the fallout from when MyBB.com was partly taken over was to have an overview look at how we do things behind the scenes to see if we could improve our services. This understandably has a knock-on effect on our development; we decided it was best to drop SVN and move to GitHub ahead of the 1.8 schedule. MyBB 1.6 development also happens over there too.

We’ve briefly hidden the 1.6 repository so that our team can get used to this new service and for us to sort out some new standards for developers and contributors to follow. This is a pretty big change not only for users but for our team as well so we need to take some time to get used to it too.

That being said, we haven’t quite got rid of everything. We will still be using the development site – powered by Redmine – as the central place to report bugs and issues with MyBB and the Merge System. It is up and running but we are having a few problems syncing the repository on GitHub and our local copy here. We hope to have this – and the GitHub project – up and running soon.

Consistency in 1.8

A general trait that has been hanging over 1.8 during planning and early development is consistency; making sure everything we do looks and feels the same as though it is from the same product, system and service. Everything from MyBB.com to the install process on your own forums will be getting a makeover to the new upgraded style giving MyBB in general a clean modern look. We’ve replaced the popular FamFamFam icons with the equally popular Fugue icon set to give 1.8’s UX (user experience) a fresh appeal – meaning 1.8 uses CSS buttons and carries PNG icons instead of GIFs. We’re looking into providing sprite images too for the ever-conscious large forum owner as well as providing theme artists a new opportunity with this style of coding.

1.8 Installer and Postbit

Alongside the jQuery update and base colours, 1.8 themes are sure to be some of the best in the series.

Full Feature Update

So, as you might have thought by now, MyBB 1.8 is going to be a bigger update than most people imagined. While not 2.0-esque, it will certainly provide a full feature update that will require careful planning and action. And, to settle the nerves of the plugin developers, there will be no major updates to the plugin system – meaning for the majority only the compatibility section of your plugins will need updated for them work in 1.8.

By providing an update like this we hope to extend the life of the 1.x series while also providing the tools and processes for developers to create even more amazing themes and plugins. It also gives us, as a team, a chance to rebalance our own structure to provide a better product for you all to enjoy.

Access to community forums restored, modifications site underway, updates & FAQ

Posted on June 3, 2012 by Chris Boulton

Following on from our We’ll be back soon post yesterday, I just wanted to provide an update on our recovery efforts as well as address a few of the commonly asked questions.

After a comprehensive investigation, including audits of all files on our existing servers as well as an analysis of server and website access logs, we’re happy to confidently say that we do not believe any of our servers were compromised, or our databases accessed.

As you’ve likely noticed, access to the MyBB Community Forums has now been restored. Because we don’t believe the MyBB database was compromised, we have opted to not require users to change their passwords on next login. If you’re having difficulty accessing the forums (for example, if it’s redirecting to http://www.mybb.com, or stylesheets aren’t loading correctly), then please clear your web browser cache and try again.

We’re working on restoring access to the MyBB Mods website as soon as we can, however expect the modifications site take another 24 hours before it can be pushed live.

Our team are also busy working on relaunching the official MyBB documentation, using GitHub Pages. We’re moving away from MediaWiki and wiki-based documentation primarily because we believe our efforts are best focused on maintaining our core website, forums and modifications site rather than managing a slew of third-party applications (this is the same reason why our blog is now powered by WordPress.com). Because GitHub Pages is directly backed to a Git repository, the entire community can still collaborate to our documentation using pull requests.

At this stage, we plan to discontinue the MyBB Ideas site. We believe that through great collaboration on the MyBB Community Forums in our MyBB 1.8 Feature Suggestions and MyBB 2.0 Feature Suggestions forums, together we can build even greater software. It also means there’s one less place to collect feedback from.

We’re taking an overly cautious process with the restoration. If we chose to, we could simply flick all services on again, and have the wiki, modifications site, etc live. Instead, even though we’re confident there was no breach of our servers, we’re still handling the situation if there were. Before anything is relaunched, we’re:

Verifying access logs of the site to look for suspicious behavior
Verifying the content of the sites by comparing them against previously taken backups (both onsite and offsite, and against backups taken recently and those taken weeks ago) and analysing each and every difference by hand
Pushing the content of all websites to our new servers from an offline copy, instead of our old servers
Verifying that all of our websites work behind CloudFlare, and implementing caching strategies in CloudFlare to give you even faster page loads

There’s also been a lot of discussion around what legal action we will be taking against those that have attacked us. At this stage, we believe our time and effort is better spent improving and educating users about security, and moving forward with the development of MyBB 1.8, MyBB 2.0, and our rebranding.

Again, we want to thank everyone for their support and patience and look forward to moving onwards and upwards!

Regards,

Chris, Tim, and the rest of the MyBB Team