MyBB 1.8.37 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.37 is now available, and is a security & maintenance release.

This version includes improvements for compatibility with mailing configurations and recent PHP versions.

  • 2 security vulnerabilities addressed:

    • Medium risk: Visual editor size code persistent XSS (advisory) — reported by Paulos Yibelo (Octagon Networks)
    • Low risk: ACP Themes persistent XSS (advisory) — reported by Or4nG.M4n
  • 12 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.36 Released — Security Release

Posted on by

MyBB 1.8.36 is now available, and is a security release.

After applying the patch, we recommend using the Admin CP’s Tools & Maintenance → System Health → Check Templates tool to scan for security issues that may not have been detected before this version.

  • 1 security vulnerability addressed:

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.35 Released — Maintenance Release

Posted on by

MyBB 1.8.35 is now available, and is a maintenance release.

This version improves stability and compatibility with various PHP versions.

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.34 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.34 is now available, and is a security & maintenance release.

  • 1 security vulnerability addressed:

    • Low risk: User CP email persistent XSS (advisory) — reported by Ahmet Altuntaş
  • 13 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

To keep up with Project news, you can now follow MyBB on Mastodon.

Thanks,
MyBB Team

Designing MyBB 1.9’s Installer

Posted on by

One key to keeping software projects and the surrounding communities healthy is keeping friction for all audiences to a minimum.

In MyBB, this friction is derivative of user experience and developer experience. Our largest audience is formed by the end users — people browsing online forums, not expected to know what MyBB is, yet benefitting from fine-tuned visuals, phrases, and flows that come out-of-the-box. At the same time, we target two groups further down the forum assembly line, for whom both UX and DX apply.

For site owners and community leaders, the software needs to be approachable and intuitive — without requiring particular knowledge of languages and technologies — but also allow tweaking its look and functionality by maintainers with technical experience.

For developers, in addition to a useful extension system, APIs, and documentation, the software needs to expose the appropriate tools to allow speedy development and testing — without assuming one’s familiarity with it.

These factors are crucial in the world of free and open-source software, where the development relies on external contributors and their ease of work.

A setup mechanism is where their paths cross: it has to break down unavoidable complexity, without getting in expert users’ way. Besides having to meet best UX and DX practices, it also carries the weight of defining the first impression of the product for everyone.

The Need for Speed

kawaii — 2:56 PM

I wonder how many of the PostgreSQL installs are me with my Docker stack

People who work with, and on MyBB, install it a lot. To comfortably test new code and eliminate bugs in the core and extensions, their setup should require minimal time and attention better spent on the task at hand.

The existing installation experience left much to be desired — among others, the old installer:

A screenshot of the Table Creation page displayed during the installation of MyBB 1.8, with an unnecessarily long list of names of created tables.
              • is strictly synchronous and static, making users alternate between waiting and filling out forms,
              • asks for information that’s either nonessential (e.g. a website URL for the optionally displayed link), or derived (e.g. cookie settings that can be deduced from the forum URL),
              • contains technical details of little to no relevance, which also makes it more difficult to navigate,
              • loads pages only for the user to press Next, instead of proceeding automatically,
              • offers no shortcuts for quick setup for testing or development, and
              • can’t be scripted or automated.

The special part of the application accessed through install/ was largely self-contained and separate from the rest, offering a good target for improvements parallel to other work on the 1.9 series.

In this post, we share how the system was disassembled, redesigned, and rebuilt.

Continue reading

MyBB 1.8.33 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.33 is now available, and is a security & maintenance release.

This version improves cache system stability, and compatibility with PostgreSQL (PDO) and recent PHP versions.

  • 1 security vulnerability addressed:

    • High risk: ACP Languages local file inclusion (advisory) — reported by yelang123 (Stealien), NGA (Stealien)
  • 8 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.32 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.32 is now available, and is a security & maintenance release.

This version addresses reported security problems and updates SCEditor to the latest version.

  • 3 security vulnerabilities addressed:

    • High risk: Visual editor persistent XSS (advisory) — reported by Aleksey Solovev (Positive Technologies)
    • Medium risk: ACP Users SQL injection (advisory) — reported by Aleksey Solovev (Positive Technologies)
    • Low risk: Attachment upload XSS (advisory) — reported by Aleksey Solovev (Positive Technologies)
  • 1 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.31 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.31 is now available, and is a security & maintenance release.

This version resolves discovered bugs and regressions, and improves compatibility with database engines and recent PHP versions.

Please note that the value of Additional Parameters for PHP’s mail() (Mail Settings) now only takes effect when saved in the Configuration File.

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.30 Released — Security Release

Posted on by

MyBB 1.8.30 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: ACP Settings management RCE (advisory) — reported by Cillian Collins / Trend Micro Zero Day Initiative

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.29 Released — Security Release

Posted on by

MyBB 1.8.29 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: ACP Settings management RCE (advisory) — reported by Xiangwen (Evan) Yu

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team