Skip to content

Latest commit

 

History

History
32 lines (19 loc) · 3.18 KB

SECURITY.md

File metadata and controls

32 lines (19 loc) · 3.18 KB

Security at MyBB

Running MyBB Securely: Recommendations

  • maintain the server software up to date (through dedicated and experienced administrators or managed hosting),
  • always keep MyBB and extensions up to date (running updates no later than 7 days after release is recommended) — subscribe to official channels to immediately get notified of new versions of MyBB and, similarly, to used plugins and themes on the Extend section to get notified of extension updates,
  • follow recommendations on secure filesystem setup, HTTPS support, Two-Factor Authentication (2FA) available here, including the general security guide.

Known Security Issues

Executive Summary

MyBB 1.x is known to be affected by documented vulnerabilities related to possible XSS attacks from members with access to the Admin Control Panel (ACP) and possible anticipated vulnerabilities that may be caused by incorrect variable type handling, error-prone implementation on the MyCode parser, improper user input filtering, improper HTML filtering (where it is partially sanitized), insufficient session control mechanisms, weak cryptographic primitives (e.g. password hashing algorithms), insufficient user and group permission control, common usage of eval() statements and possible usage of outdated libraries and 3rd-party software.

Documented unaddressed, and anticipated vulnerabilities can lead to damage and/or loss of data and servers and can pose a threat to privacy, safety and/or security of forum administrators and their end users.

We, therefore, do not recommend storing sensitive information using MyBB until aforementioned issues are resolved.

Technical Details of Known Issues

  • MyBB series 1.x up to 1.8.x has XSS security issues affecting the Admin Control Panel (ACP).

Reporting Vulnerabilities

We recognize reporters that follow responsible disclosure by including their names and affiliations in Release Notes and Release Blog Posts.

If you have discovered a potential vulnerability or security risk, we encourage you to responsibly disclose it to us via the Private Inquiries forum.

Do not use the form if you notice your browser displays HTTPS warnings, or anything otherwise suspicious happens. You can optionally encrypt your message using GPG keys of at least 3 Lead staffers, available at https://mybb.com/about/team/.

You can also reach us at security@mybb.com for security concerns, however we recommend using Private Inquiries for best feedback.

Open mybb.com/security with complete instructions on how to report vulnerabilities to maximize the efficiency, help MyBB secure users as soon as possible and receive recognition. You will also learn what issues we look after, how to limit harm to other people and what the disclosure process will look like.