These are just my thoughts about MyBB security updates. I’m not a security expert of any sort, but I just offer my opinion based on the knowledge I have.
Over the last few weeks there have been two releases to MyBB to patch potential security vulnerabilities that have been discovered by various parties. I have seen some people who have found these seemingly miniscule updates too trivial to apply to their own boards, despite the fact that I and various other members of the MyBB staff have recommended these updates.
These people seem to believe that just because no harm has been done by people attempting to exploit the vulnerability, or just because no harm has been done when they try the exploit script by themselves, that the upgrade is not required. Personally I find this absurd.
First of all, I’d like to point out that not all proof-of-concept scripts are harmful; as their name suggests, these scripts prove the concept, but may not actually compromise the system. Wikipedia says: “In both computer security and encryption, proof of concept refers to a demonstration that in principle shows how a system may be protected or compromized, without the necessity of building a complete working vehicle for that purpose.”
Just because a board administrator cannot find a way to exploit the vulnerability, doesn’t mean that another malacious user won’t find a way. Just because nothing has been “done” to the board when an attempt has been made, doesn’t mean that eventually someone else won’t find a way to compromise the board. For example, the 1.1.3 release patched a serious security vulnerability where a malacious user could execute arbitrary PHP code at their own heart’s content (with a malaciously-formed username). As an administrator, you may not even detect any problems on the surface if you tried the proof-of-concept script, or seen usernames that have registered on your board, but nothing harmful has happened. In fact, much more serious and critical information may have been available to the hands of malacious users, if they indeed have compromised the board in this manner, and the patch released was not applied.
As well, once the security vulnerability has been patched, anyone with a malacious intent would be able to figure out how to exploit it, and may be able to compromise boards which have not patched the vulnerability.
Okay, so I may not be a security expert, however, I do use my common sense (and I do hope that you use yours). When a security vulnerability has been found, and has been identified to affect the particular version of MyBB (or any other software), we do not just release these patches to annoy our users with little upgrades every few weeks. No, we actually do want to improve our software by patching these holes and keeping our users safe. If a vulnerability has been reported, it is most likely that something harmful can be done to your board, and if a board administrator wishes to take that risk and not upgrade, it is his or her decision, and I cannot force anyone to apply the patch.
Obviously it is possible that sometimes the malacious users will compromise boards before we can find the vulnerability and release the patch, but I assure you that security is at the highest priority with the MyBB Group, and we strive to keep our customers safe from these exploits in as a timely manner as possible.
However, once we have released a patch, it is up to each and every individual board administrator to update their board to keep them and their board safe from the exploit. Each security patch, no matter how small, should be considered as significant. I hope that you all take this into mind the next time you ponder whether or not to update your board.
After writing all this about security, I hope I won’t get hit on my behind by something that I have just fervently preached. 🙂
I wholeheartedly agree. There is no reason anyone shouldn’t upgrade their forums as soon as possible.
MyBB offers manual patches for the 1.1.x serious where you can install the patches into the code itself without having to download the entire package.
This way you can ensure that you yourself applied the patch.
I STRONGLY suggest for Administrators with a lot of modifications to their board take this route everytime a new release is made. It is simple and easy, sometimes the patches take two seconds, like the update from 1.1.3 to 1.1.4.
Anyone who doesn’t do this does not have a legitmate excuse why they shouldn’t. If you really cared for your board you would update it with any patch the Developers release, regardless of the severity of the bug.
I hope by reading these posts people change their minds about how they handle their boards.
There are always going to be security holes in any type of software, which means there are always going to be ways in for malicious users. The way I see it, the more MyBB security patches there are, the less ways in there are for board exploiters.
With a complex script like MyBB, it is likely that holes are going to be found and exploited by malicious users, but we can be sure to make it damn hard for them anyway!
Peter has posted some ways that you can secure your MyBB even further:
http://community.mybboard.net/showthread.php?tid=9991
It seems like several boards were exploited with the vulnerability patched in 1.1.4. It is unfortunate to see what consequences do arise because of two missing quotation marks.
You might want to implement the following into MyBB for more added security. Take these as suggested features for 1.4:
– By default have administrators change the admin folder, through the installation process
– Disallow access to the admin cp if there is an update which has not yet been patched. For example, we have a ‘Check for Newer Version’ option now, make it somehow that when an administrator logs into the admin cp, the system will check mybb.com for any new releases/updates etc. If there is one, inform the user and dissalow any options in the cp.
– Have users downloading mybboard also enter their email into the mailing list. Like what Apple does when your downloading iTunes etc. It automatically has preselected, ‘Get Newsletter’, do something the same with mybb.
– Have a secret passkey sent to an administrator every month, which has been randomly selected by the board itself. That passkey must be entered to change major aspects of the board, like the ‘Enter Password’ you have when people want to change their email in the user cp.
– If someone tries to login numerous times without luck, block their ip for 24hrs.
– Don’t allow any special characters at all in usernames
– Have a small captcha image on the login screen.
backup backup backup
I was affected by that hacker and naturally I don’t have a current backup (not that I had a lot on my boards, but it’s the principle of it….)