MyBB 1.8.22 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.22 is now available, and is a security & maintenance release.

Note: this version removes the discontinued Yahoo profile field, which may have been customized for other purposes.

  • 5 security vulnerabilities addressed:

    • High risk: Installer RCE on settings file write — reported by yelang123 of Stealien
    • Medium risk: Arbitrary upload paths & Local File Inclusion RCE — reported by CNCERT
    • Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data — reported by Devilshakerz of MyBB Team
    • Low risk: Open redirect on login — reported by Jyoti Raval of Qualys
    • Low risk: SCEditor reflected XSS — reported by Cillian Collins, bl4ckh4ck5
  • 36 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.9 Development Update

Posted on by

With the continuous Community effort to improve the quality of our stable branch in the background, the work on remaining features of MyBB 1.9 moves on.

One of the completed changes that will make its way into MyBB 1.9’s highlights — other than the theme system — is the introduction of modern password hashing. The md5-based hash function, used in MyBB since its very beginning, will be replaced by bcrypt, making it much more difficult to obtain original passwords basing on new hash values in case of a data breach.

The current blocking task for other areas is rebasing the 1.9 branch on top of the 1.8 branch. Due to the way that Git (the tool we use to manage development) works, 1.9 is worked on in a separate branch whilst 1.8 development progresses. As the 1.8 branch moves forward, the 1.9 branch slowly goes out of sync, missing the recent changes from 1.8.

At the current moment, the 1.9 branch is in line with MyBB 1.8.17, leaving us with 4 versions’ worth of changes that we need to merge into 1.9. This, unfortunately, is not an easy process due to the nature of code changes in 1.9 and there are a lot of conflicts which need to be resolved manually. To ease this process we have decided to rebase one version at a time. Some MyBB 1.8 releases contain a smaller amount of changes than others, and these are considerably easier to rebase too.

Once the re-base is complete, there are still a couple of other tasks for 1.9 before we can release our first Alpha and Beta releases. Some of these issues include:

  • Implementing a new email system. The current MyBB email system causes no end of support threads due to its limited support for slight variations in the way email servers “speak” the SMTP protocol. We’re proposing that we adopt an existing well tested and support email sending library to manage the sending of emails. From a core point of view, this should be relatively simple since almost every email sent uses a single standard function (my_mail()).

    We’re proposing that we adopt the new symfony/mailer library which provides easy ways to send email via SMTP as well as various email APIs such as Postmark.

  • Reviewing any missed templates from the Twig conversion. During the rebase effort, we’ve noticed some lingering uses of the old template system within the core. These need to be rounded up and eliminated to ensure the template system usage throughout is consistent.

  • Updating the ACP to allow editing of Twig template files. So far, the Team have all been editing Twig templates directly through their respective files. While this is a great way to work (who doesn’t want to use their own editor of choice?), being able to edit templates easily within the Admin Control Panel is a useful feature that needs updating to work with the new template system. There is some discussion about looking at the JavaScript code editor that we use when editing templates to see if there are any better options on the market. An often requested feature has been the ability to edit multiple templates within tabs at the same time, an enhancement which would be very handy when working with new templates.

    We’re also looking at the possibility of leaving certain level of support for the old template format to reduce the number of changes required in MyBB 1.8-based plugins to work with MyBB 1.9.

    Open the 1.9 Theme System Issue issue to see what design problems we’ll be aiming to solve, and to participate in the discussion, whether you’re an Extension guru or have previously noticed friction when dealing with themes in MyBB.

    View on GitHub

We will also be starting to update and introduce documentation for 1.9. If there are any documentation pages that you would like to see updated or improved, now would be a great time to bring them to our attention!

MyBB 1.8.21 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.21 is now available, and is a security & maintenance release.

This version includes updated jQuery and SCeditor, JSON Syndication format, improved PostgreSQL support, improved PHP >= 7.1 compatibility, improved search function reliability. See information on SCEditor-related theme updates.

  • 6 security vulnerabilities addressed:

    • High risk: Theme import stylesheet name RCE — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
    • High risk: Nested video MyCode persistent XSS — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
    • Medium risk: Find Orphaned Attachments reflected XSS — reported by Simon Scannell of RIPS Technologies
    • Medium risk: Post edit reflected XSS — reported by adm1nkyj of ENKI
    • Medium risk: Private Messaging folders SQL injection — reported by Alex of DiscoveryGC
    • Low risk: Potential phar deserialization through Upload Path — reported by Simon Scannell of RIPS Technologies
  • 39 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.20 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.20 is now available, and is a security & maintenance release.

This release includes allowing users to see their unapproved content and view user referrals; compatibility with PHP >= 7.2 has been improved and jQuery has been upgraded to 3.0.0, which might affect custom JavaScript code in plugins and themes.

  • 5 security vulnerabilities addressed:

    • Medium risk: Reset Password reflected XSS
    • Medium risk: ModCP Profile Editor username reflected XSS — reported by Jovan Zivanovic of MaTRIS Research Group, SBA Research
    • Low risk: Predictable CSRF token for guest users — reported by Devilshakerz of MyBB Team
    • Low risk: ACP Stylesheet Properties XSS — reported by Cillian Collins
    • Low risk: Reset Password username enumeration via email — reported by Abdullah Md. Shaleh
  • 42 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.19 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.19 is now available, and is a security & maintenance release.

This update includes improved compatibility with PostgreSQL and resolves regressions from previous versions. Administrators may need to update CSS code in global.css for customized themes.

  • 4 security vulnerabilities addressed:

    • High risk: Email field SQL Injection — reported by StefanT
    • Medium risk: Video MyCode Persistent XSS in Visual Editor — reported by Numan OZDEMIR of InfinitumIT
    • Low risk: Insufficient permission check in User CP’s attachment management — reported by StefanT
    • Low risk: Insufficient email address verification — reported by StefanT
  • 8 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

Blueprinting Automatic Updates for PHP Applications

Posted on by

Keeping MyBB boards secure is a team effort. Security issues discovered and reported by external researchers and our core developers are analysed, fixed and included in final packages. The process doesn’t end there however: it is essential that administrators are notified to update their forums as soon as possible in order to prevent the addressed vulnerabilities from being exploited in an attack on their boards and users.

Learn More

Our recently published summaries, recommendations and links to reviewed guides in the SECURITY.md file contain many resources forum administrators can use to secure their boards against both opportunist and experienced digital criminals. First and foremost though, we always recommend that users keep their MyBB installs up to date. We also suggest using the new subscription feature for all used plugins and themes on Extend.

Based on our experience, even large discussion boards that don’t have dedicated technicians tend to use outdated versions of MyBB and the situation in the area of extensions might be equally concerning. Not unlike other software, periodical updates are the main method of delivery for security patches — most MyBB releases contain fixes plugging security holes ranging from theoretical risks to critical vulnerabilities.

Issues Addressed in MyBB 1.8.x by Version

The need for continuous response to vulnerability reports is a strong argument for making the reduction of manual effort needed to keep our packages up to date a long-term goal.

In this post we’ll explore what keeps our developers up at night that also affects MyBB’s ability to introduce automated updates, and how the mechanism might be actually implemented once the system — currently being rebuilt for version 1.9 and subsequent branches — is ready.

Continue reading

MyBB 1.8.18 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.18 is now available, and is a security & maintenance release.

Changes include added support for Mixer videos and multi-file attachments, modified Word Filter behavior, fixes to the mailing queue and improved compatibility with SQLite and MySQL 8. Theme CSS changes may be required and administrators may need to review Word Filters.

  • 2 security vulnerabilities addressed:

    • High risk: Image MyCode “alt” attribute persistent XSS — reported by Punisher_HF
    • Medium risk: RSS Atom 1.0 item title persistent XSS — reported by 0xB9
  • 30 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.17 Released — Maintenance Release

Posted on by

MyBB 1.8.17 is now available, and is a maintenance release.

This update fixes several issues introduced by MyBB 1.8.16 such as not being able to log into forums.

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.16 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.16 is now available, and is a security & maintenance release.

This update includes compatibility fixes for database engines and recent PHP versions as well as performance and global security improvements. Note that the theme’s CSS files may need to be updated. If you use the login_attempt_check() function, note that its signature has changed.

 

  • 6 security vulnerabilities addressed:
    • High risk: Image & URL MyCode Persistent XSS — reported by Punisher_HF
    • Medium risk: Multipage Reflected XSS — reported by Dimaz Arno of Ethic Ninja
    • Low risk: ACP logs XSS — reported by Cillian Collins
    • Low risk: Arbitrary file deletion via ACP’s Settings — reported by Devilshakerz of MyBB Team
    • Low risk: Login CSRF — reported by Cillian Collins
    • Low risk: Non-video content embedding via Video MyCode — reported by Punisher_HF
  • 66 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

 

Issues on Upgrade?

 

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 2.0 is being put on hold

Posted on by

The community spoke and we are listening.

Effective immediately, the MyBB team will be putting 2.0 on hold and working towards a more viable & gradual approach to rewriting the core software. Rather than a total rewrite all at once that could take years to complete, we’re going to roll out smaller updates in a quicker fashion. Starting with MyBB 1.9 and onwards, each release (1.10, 1.11, 1.12, etc.) will have new features and rewritten code until we reach the ultimate goal of a totally rewritten and modern forum software.

First up is MyBB 1.9. This update will feature a responsive theme built on a new and improved, Twig template system. This system will allow template conditionals, variable loops, template includes, and much more. Along with a new theme and template system, we’re reworking & improving all of the javascript code and moving it from being inline with the theme to external files. Doing this will make it easier to manage and allow site owners to more easily implement better Content Security Policies on their forum.

In addition to the theme work outlined above, we’re going to be replacing SCEditor with TinyMCE as well as introducing the Swiftmailer mail handler. TinyMCE should be a vast improvement to the overall user experience compared to the current editor we’re using in the 1.8 series. TinyMCE is well-supported & maintained, modern and easily extensible with plugins if you’re looking for extra functionality. Swiftmailer will improve our core email functionality and should integrate better with most SMTP hosts. Swiftmailer will also allow us to retry sending failed emails, add attachments, use the BCC & CC functionality, support servers that require usernames & passwords and/or encryption and much more.

We are excited to embark on this path together with the end goal being to restore MyBB’s place as the best forum software available today— free or commercial.

Thank you for you feedback. Please continue to voice your opinion about the things that are important to you. We are all in this together!

Follow the links below to view the MyBB 1.9 repository and MyBB 1.9 forum topic, respectively:

MyBB 1.9 RepositoryMyBB 1.9 Forum Topic