MyBB

Craigw · 07-01-2009, 06:03 PM

After the recent vulnerabilities present in the 1.4.* versions of MyBB, I think it may require another security audit. (Not now, but soon.)

I understand that this costs a lot of money, But the knowledge that MyBB is indeed still a secure forum script, will instill more user confidence, as we all know that the recent vulnerabilities have somewhat dampened MyBB's claim to be a very secure forum script. (I already know it is extremely secure compared to other forum scripts, but new users will most likely turn away.)

Im just giving you my views on this particular subject.

seeker · (This post was last modified: 07-01-2009 06:07 PM by seeker.)

Probably too expensive...
We test it everyday in the real world.

The original audit was a great idea, I was impressed MyBB staff had it done.

Craigw · 07-01-2009, 06:10 PM

As I stated in my first post, I understand it is expensive, but having it professionally verified would instill more confidence for current and new users.

MyBB have done so before, I'm just giving a suggestion that they "should" do so, either for the current MyBB releases, or later releases.

HarryWx · 07-01-2009, 06:25 PM

(07-01-2009 06:10 PM)Craigw Wrote: As I stated in my first post, I understand it is expensive, but having it professionally verified would instill more confidence for current and new users.

MyBB have done so before, I'm just giving a suggestion that they "should" do so, either for the current MyBB releases, or later releases.

Well then it may help if people started donating to the cause here. I am sure if MYBB can raise the funds then they will do it. They still may but i think donating to mybb will help the cause.

I agree it would be nice but MYBB may need a little help to make it happen. Most important to me is the issues have been FIXED. Smile

Craigw · (This post was last modified: 07-01-2009 06:31 PM by Craigw.)

True, but there may be many other security vulnerabilities not found yet. (or ones that have been publically released.)

Fixing one vulnerability does not mean they have fixed all of them.

As you stated before a donation is possible, but will most likely not be enough to cover the costs.

However If the MyBB gave people incentives (preferably ones that do not cost.) to find and report vulnerabilities, It would see a lot more progress in development security wise.

I'm not criticizing the MyBB developers, I only want to help improve development of the script.

Alex Smith · 07-01-2009, 06:37 PM

Well we all understand but MyBB did something you don't even really see vB or IPB doing to often. Plus, it's not like it was a complete rewrite most of the things from the last security audit were carried over. And, no matter how many we do there will always be a possible vulnerability.

Plus, where do you expect them to come up with the money? they do this out of their free time and well I'm sure most if not all the donations go into paying for monthly costs. As I doubt they are getting tons of money from donations. Your always welcome to have mybb audited on your money. The staff doesn't have to do it. Toungue

frostschutz · 07-01-2009, 06:39 PM

It would be nothing but a huge waste of money.

HarryWx · 07-01-2009, 06:41 PM

(07-01-2009 06:28 PM)Craigw Wrote: True, but there may be many other security vulnerabilities not found yet. (or ones that have been publically released.)

Fixing one vulnerability does not mean they have fixed all of them.

As you stated before a donation is possible, but will most likely not be enough to cover the costs.

However If the MyBB gave people incentives (preferably ones that do not cost.) to find and report vulnerabilities, It would see a lot more progress in development security wise.

I'm not criticizing the MyBB developers, I only want to help improve development of the script.

But that is true of any software?? Thus it has to be found in order to be fixed. So i dont see the point about other possible exploits? Huh

Heck even the new PHPBB 3.0 has had some exploits found recently so not any software is free of it. There will always be new exploits found in ALL software thanks to people not having better things to do with their time. Most important is getting it fixed asap and well MYBB has been great about that. Smile

Alex Smith · 07-01-2009, 06:41 PM

(07-01-2009 06:28 PM)Craigw Wrote: However If the MyBB gave people incentives (preferably ones that do not cost.) to find and report vulnerabilities, It would see a lot more progress in development security wise.

How about having a forum that's safe from hackers? I think that's a pretty good incentive Toungue

.

Craigw · (This post was last modified: 07-01-2009 06:52 PM by Craigw.)

(07-01-2009 06:37 PM)NetSage Wrote: Well we all understand but MyBB did something you don't even really see vB or IPB doing to often. Plus, it's not like it was a complete rewrite most of the things from the last security audit were carried over. And, no matter how many we do there will always be a possible vulnerability.

Plus, where do you expect them to come up with the money? they do this out of their free time and well I'm sure most if not all the donations go into paying for monthly costs. As I doubt they are getting tons of money from donations. Your always welcome to have mybb audited on your money. The staff doesn't have to do it.

If MyBB cared about the security of the script they would do so, waiting for people to do an audit on their own is just plain stupid, That would give a huge sense, that MyBB doesnt really care about the security of the script. (I know thats not true.)

Im NOT saying they should do so now. (Which I have stressed), I am saying that they should do so whenever they have the time/money.

I hope that you understand this now.

(07-01-2009 06:41 PM)NetSage Wrote:
(07-01-2009 06:28 PM)Craigw Wrote: However If the MyBB gave people incentives (preferably ones that do not cost.) to find and report vulnerabilities, It would see a lot more progress in development security wise.

How about having a forum that's safe from hackers? I think that's a pretty good incentive .

Indeed, but most forum admins that find those vulnerabilities will more than likely keep the fix for themselves, and not disclose it.

(07-01-2009 06:41 PM)HarryWx Wrote:
(07-01-2009 06:28 PM)Craigw Wrote: True, but there may be many other security vulnerabilities not found yet. (or ones that have been publically released.)

Fixing one vulnerability does not mean they have fixed all of them.

As you stated before a donation is possible, but will most likely not be enough to cover the costs.

However If the MyBB gave people incentives (preferably ones that do not cost.) to find and report vulnerabilities, It would see a lot more progress in development security wise.

I'm not criticizing the MyBB developers, I only want to help improve development of the script.

But that is true of any software?? Thus it has to be found in order to be fixed. So i dont see the point about other possible exploits?

Think about what a security audit does, and you will find your point is not valid to the discussion at hand.