Forum software developers offer insight ahead of next major release

MyBB security analysis: Open source community helps squash hundreds of bugs

The open source community has helped to protect websites running the MyBB forum software from more than 270 security vulnerabilities since it was launched in 2005, developers have confirmed.

In a blog post published ahead of the next major release, the MyBB development team offered a deep dive into the platform’s security ecosystem, noting that more than 100 bugs have been mitigated in the current branch alone.

Written in PHP, MyBB is popular open source software that’s thought to power more than 10,000 forum sites.

The MyBB development team gathered a wealth of security and vulnerability data from last year to offer an analysis about what the numbers mean for the platform.

“The launch of MyBB 1.8.22 back in December brought the number of vulnerabilities addressed in the 1.8 branch of the popular open source forum software to over 100,” the post explains.

Nearly three-quarters (74%) of these bugs were flagged through the MyBB security program.

“This resulted in a grand total of 12 high risk (12%), 33 medium risk (32%), and 58 low risk (56%) problems,” the developers said.

XSS tops the list

Almost half (49%) of the vulnerabilities in 1.8 branch of MyBB related to cross-site scripting (XSS). Of these, there were 36 cases of persistent XSS, 12 cases of reflected XSS, and one case of DOM-based XSS.

Other leading bug classes included improper access control (seven cases), SQL injection (also seven cases), code injection (six), information exposure (six), cross-site request forgery (five), path traversal (four), and improper input validation (three).

“The statistics specific to MyBB are consistent with more broad observations from web software, having XSS, access control issues, and injection the most common categories of vulnerabilities to be reported,” said the MyBB developers.

MyBB is open source forum software that's thought to power more than 10,000 sitesMyBB is thought to power more than 10,000 forum sites

Community efforts

MyBB made security headlines last year with a critical stylesheet vulnerability that could have given an attacker full access to user accounts, private threads, and messages stored in a forum’s database.

Thanks to coordinated disclosure from security researchers at RIPS Technologies, the MyBB development team quickly resolved the potentially devastating flaw.

At the time, Tomasz Mlynski of the MyBB project discussed the importance of coordinated disclosure for open source projects, telling The Daily Swig:

Full cooperation – which, currently in our case, involves not only coordinated disclosure, but also solution development and the follow-up penetration testing – has already proved worthwhile through multiple opportunities, when security patches were corrected or improved in time for publication.

We can see how more resources in this area – provided by external, adversarial teams that attempt to break what we build, but with a similar goal – can improve the health and stability of a security program, so that fixes are delivered more reliably and faster.

We believe that open source projects have a particular interest and conditions to offer transparency and a high level of technical detail.

Experienced users should be well aware that all platforms can be vulnerable, so the difference is not how secure a vendor claims to be, or how rarely they mention having security issues, but the procedures in place and history that has put them into practice.

Looking ahead, the MyBB platform is hoping to maintain the momentum it has established when it comes to vulnerability remediation, whilst allowing the ever-growing number of forum administrators to ensure their sites are as secure as possible.

“Security improvements under consideration are not just limited to the internal workings of MyBB,” the project maintainers said.

“We expect future MyBB versions to require less technical knowledge and experience to manage boards effectively and securely – this will involve automating certain tasks and checks, making administrators aware of suspected problems and misconfigurations, and offering inbuilt actions in place of running code or SQL queries manually.”

They added: “If you administrate MyBB 1.8.x boards, make sure to review the new MyBB Security Guide with best practices for protecting your website, in addition to keeping MyBB and its extensions up to date.”

MyBB has an active development and security communityFitting for forum software, MyBB has an active community of contributors

Open forum

In a development pipeline update to The Daily Swig this week, Mlynski said: “The upcoming branch [MyBB 1.9] is currently under development and is expected to come with the new Twig engine, but we don’t have estimates on the release date.

“MyBB 1.8.x will continue receiving updates. Once 1.9 is released and stable, the focus will shift to the newest branch, and security and high-priority issues will be addressed in parallel (until 1.8’s end-of-life date) to provide a smooth transition timeline for forum owners.”

Other “significant changes” on the horizon for the MyBB project include a non-regex parser for clear validation and control of nested tags to limit XSS issues; strict Content Security Policy; and parametrized SQL statements to help protect against SQL injection attacks.

“More than 270 security flaws have now been fixed in the software since the first stable package was released back in 2005,” the developers said.

“Widely adopted standards will continue to be added to MyBB, further reducing the attack surface created by client-bound vulnerabilities, which in 1.8.x account for 54% of issues in question.”

YOU MIGHT ALSO LIKE Flaws belatedly fixed in open source SuiteCRM software