Comments on: MyBB Security

By: david

david — Mon, 26 Jun 2006 17:38:44 +0000

backup backup backup

I was affected by that hacker and naturally I don’t have a current backup (not that I had a lot on my boards, but it’s the principle of it….)

By: Bobby

Bobby — Mon, 26 Jun 2006 07:03:45 +0000

You might want to implement the following into MyBB for more added security. Take these as suggested features for 1.4:
- By default have administrators change the admin folder, through the installation process
- Disallow access to the admin cp if there is an update which has not yet been patched. For example, we have a ‘Check for Newer Version’ option now, make it somehow that when an administrator logs into the admin cp, the system will check mybb.com for any new releases/updates etc. If there is one, inform the user and dissalow any options in the cp.
- Have users downloading mybboard also enter their email into the mailing list. Like what Apple does when your downloading iTunes etc. It automatically has preselected, ‘Get Newsletter’, do something the same with mybb.
- Have a secret passkey sent to an administrator every month, which has been randomly selected by the board itself. That passkey must be entered to change major aspects of the board, like the ‘Enter Password’ you have when people want to change their email in the user cp.
- If someone tries to login numerous times without luck, block their ip for 24hrs.
- Don’t allow any special characters at all in usernames
- Have a small captcha image on the login screen.

By: Dennis

Dennis — Mon, 26 Jun 2006 02:51:56 +0000

It seems like several boards were exploited with the vulnerability patched in 1.1.4. It is unfortunate to see what consequences do arise because of two missing quotation marks.

By: Dennis

Dennis — Sun, 25 Jun 2006 18:17:58 +0000

Peter has posted some ways that you can secure your MyBB even further:
http://community.mybboard.net/showthread.php?tid=9991

By: DrPoodle

DrPoodle — Sat, 24 Jun 2006 22:15:20 +0000

There are always going to be security holes in any type of software, which means there are always going to be ways in for malicious users. The way I see it, the more MyBB security patches there are, the less ways in there are for board exploiters.

With a complex script like MyBB, it is likely that holes are going to be found and exploited by malicious users, but we can be sure to make it damn hard for them anyway!

By: Ryan

Ryan — Sat, 24 Jun 2006 07:02:26 +0000

I wholeheartedly agree. There is no reason anyone shouldn’t upgrade their forums as soon as possible.

MyBB offers manual patches for the 1.1.x serious where you can install the patches into the code itself without having to download the entire package.

This way you can ensure that you yourself applied the patch.

I STRONGLY suggest for Administrators with a lot of modifications to their board take this route everytime a new release is made. It is simple and easy, sometimes the patches take two seconds, like the update from 1.1.3 to 1.1.4.

Anyone who doesn’t do this does not have a legitmate excuse why they shouldn’t. If you really cared for your board you would update it with any patch the Developers release, regardless of the severity of the bug.

I hope by reading these posts people change their minds about how they handle their boards.