MyBB Security

These are just my thoughts about MyBB security updates.  I’m not a security expert of any sort, but I just offer my opinion based on the knowledge I have.
Over the last few weeks there have been two releases to MyBB to patch potential security vulnerabilities that have been discovered by various parties. I have seen some people who have found these seemingly miniscule updates too trivial to apply to their own boards, despite the fact that I and various other members of the MyBB staff have recommended these updates.

These people seem to believe that just because no harm has been done by people attempting to exploit the vulnerability, or just because no harm has been done when they try the exploit script by themselves, that the upgrade is not required. Personally I find this absurd.

First of all, I’d like to point out that not all proof-of-concept scripts are harmful; as their name suggests, these scripts prove the concept, but may not actually compromise the system. Wikipedia says: “In both computer security and encryption, proof of concept refers to a demonstration that in principle shows how a system may be protected or compromized, without the necessity of building a complete working vehicle for that purpose.”

Just because a board administrator cannot find a way to exploit the vulnerability, doesn’t mean that another malacious user won’t find a way. Just because nothing has been “done” to the board when an attempt has been made, doesn’t mean that eventually someone else won’t find a way to compromise the board. For example, the 1.1.3 release patched a serious security vulnerability where a malacious user could execute arbitrary PHP code at their own heart’s content (with a malaciously-formed username). As an administrator, you may not even detect any problems on the surface if you tried the proof-of-concept script, or seen usernames that have registered on your board, but nothing harmful has happened. In fact, much more serious and critical information may have been available to the hands of malacious users, if they indeed have compromised the board in this manner, and the patch released was not applied.

As well, once the security vulnerability has been patched, anyone with a malacious intent would be able to figure out how to exploit it, and may be able to compromise boards which have not patched the vulnerability.

Okay, so I may not be a security expert, however, I do use my common sense (and I do hope that you use yours). When a security vulnerability has been found, and has been identified to affect the particular version of MyBB (or any other software), we do not just release these patches to annoy our users with little upgrades every few weeks. No, we actually do want to improve our software by patching these holes and keeping our users safe. If a vulnerability has been reported, it is most likely that something harmful can be done to your board, and if a board administrator wishes to take that risk and not upgrade, it is his or her decision, and I cannot force anyone to apply the patch.
Obviously it is possible that sometimes the malacious users will compromise boards before we can find the vulnerability and release the patch, but I assure you that security is at the highest priority with the MyBB Group, and we strive to keep our customers safe from these exploits in as a timely manner as possible.

However, once we have released a patch, it is up to each and every individual board administrator to update their board to keep them and their board safe from the exploit. Each security patch, no matter how small, should be considered as significant. I hope that you all take this into mind the next time you ponder whether or not to update your board.

After writing all this about security, I hope I won’t get hit on my behind by something that I have just fervently preached. 🙂

MyBB Development Update: Moderation

I’ve also been working on MyBB recently and I’ve added a significant feature to MyBB 1.2 a few days ago, which I’ll let you people guess what it is. The feature was not requested due to popularity (I don’t think many people had suggested it on the MyBB Community Forums), but within the staff team there were some who supported this feature. I’ll start off with this clue and add more hints later if requested:

A couple of months ago, I converted most of the stuff in moderation.php into a class. This will allow plugins and other features within MyBB to easily call these methods to moderate threads and posts. An example:

require MYBB_ROOT."inc/class_moderation.php";
$moderation = new Moderation;
$moderation->close_threads(array(1, 3, 45));

Obviously from the description above, this new feature has something to do with the moderation system…

Changes to DennisTT.Net

I’ve made a few changes to DennisTT.Net.  I’ve gotten rid of Etomite, and so the blog (and site) is fully powered by WordPress.  The gallery has now been replaced with my Flickr account.  I hope to get a bit more integration between MyBB and WordPress in the next few weeks after my second set of exams are done.

MyBB Development Update: Attachments

In anticipation of the release of first beta/preview of MyBB 1.2, I’ve been committing a lot of small features here and there. Some of them are from past suggestions on the Suggestions forum on the Community Forums (which proves that yes we do add features that people suggest to the MyBB releases). However, there are others that I have added on my own.

One of the sections I concentrated on during the last few days was the Attachment Manager, in both the Admin CP and User CP. I thought that it lacked some functionality, including finding broken attachments. There are three main ways where an attachment can be “lost.” First of all, the attachment can exist in the database, but the actual file has gone missing (directly deleted, or otherwise). Secondly, the attachment does exist in the uploads folder, but has lost its identification in the database. Thirdly, the attachment may not be associated with a post (eg. uploaded to a post that never was posted). I’ve started to implement an “Orphan Search” page in the Admin CP which currently searches for attachments that are in the uploads folder but aren’t associated in the database, and also gives an option to delete them. Regarding the first problem, I’ve added colour coding in the main attachment search page in the Admin CP that indicates that the file associated with the attachment does not exist. Now there are also a bit more detailed attachment statistics in the User CP (I thought that one line in the thead wasn’t sufficient ;)) I’ll probably be working on this more after the release of 1.2 so there will hopefully be more to come, for the attachment managers.

Anyway, as we’re nearing the release of the 1.2, I can see that there have been some significant modifications to certain parts of MyBB. Most of the changes were within the code. As you probably know, we are always looking for ways to make MyBB more OOP, so you’ll see a few new classes in the code. MySQL full-text searching capability should make its way into this release. This will hopefully make searching a lot better for both the user and the server. These are not all the changes, but just the few major ones. We like to give people surprises, so we’ll let you see them when it’s released 🙂

We’re ditching MyBB!

Here is the outcome of one of our shortest MyBB developer meetings:

[22:45:13] Chris says: okay
[22:45:15] Chris says: we’re ditching mybb
[22:45:18] Dennis says: yeah
[22:45:23] Peter says: sure
[22:45:24] Dennis says: ok
[22:45:25] Peter says: 😛
[22:45:26] Dennis says: agreed
[22:45:30] Chris says: alright, glad thats resolved
[22:45:33] Dennis says: bye
[22:45:37] Peter says: bye, lol
[22:45:47] Chris says: cya

No we were just kidding 😉 Anyway, I’ve got part of my SVN back up, and I’ve started committing a little bit, after having no commits for who knows how long. I still have a lot of stuff to study for, as you can see from my last two blog posts, so MyBB development will be slow for me until the mock exams are over at least. In the near future, I foresee several more people being brought on board the MyBB team, and that would definitely speed things up around here, in terms of support and development.

Anyway, the ideas for MyBB 1.1-1.2 are great. There’s a new post parser class as some of you found out from certain attachments being leaked on the Community forums ;), and a lot of other stuff being planned. I hope to start working on a language panel for the Admin CP, since that would make life a lot easier if you wanted to change a certain phrase. I can’t wait for AJAX to be implemented into MyBB, and I think that will be in 1.2 as well (it’s not my area of specialty…yet :P)

Anyway, look out for things to come, from the MyBB dev team!