2018-09-22, 12:19 AM
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
2018-09-22, 12:28 AM
In order to release 1.9 within a reasonable timeframe, we will not be adding any additional new features to MyBB 1.9. The release is focused almost entirely on the new responsive theme and the theme and template system.
See the Development Roadmap for our plans for future releases of MyBB.
See the Development Roadmap for our plans for future releases of MyBB.
2018-09-22, 01:28 AM
Good luck development team. Looking forward to the new responsive theme very much.
2018-10-01, 04:26 AM
Has the showteam page been tested for the case where there are group leaders? I find that $modscope does not work when you try to move it into the showteam_moderators_mod template, and hence the card view becomes difficult to implement.
2018-10-01, 08:55 AM
Content security policy and security issues in general
I think MyBB 1.9 should try to improve its security with a CSP (content security policy). I think I already read such a suggestion on GitHub, but basically I guess this implies moving all javascript code in dedicated files (like general.js, etc.), and removing all javascript that is currently embedded in pages inside script tags. This way you can then use a CSP to only allow JS to be executed from JS files on the same domain. Of course this could be a problem for plugins that embed JS code directly in the body of the page (since the CSP wouldn't allow that anymore, preventing XSS), but plugins can always be updated to move their JS code to a dedicated file too (like plugin-whatever.js, etc.).
What do you think of this? I think it should be done in a major release (like 1.9) because it will involve changing a lot of the templates in the theme, and it is also likely to break compatibility with some plugins for the reason I mentioned above. So 1.9 seems a good release to implement this. Otherwise you will have to consider implementing it in another release (1.10?) but as I said that will involve changes in a lot of templates and breaking compatibility (which might not be planned for 1.10 and later releases, while it is already known and accepted that 1.9 will break backward compatibility). I don't know if it's too much work to do, but my impression is that all you need to do is move any JS code from the body of the page to some dedicated files.
Another thing that I think should be done by default with a CSP is to disallow the embedding of the forum in other pages (with iframes or similar) to prevent clickjacking. I don't think there is ever a good reason to embed a part of the forum in an iframe (or similar) in another page on another domain. Who is doing this, and what for? So all you need is a CSP directive to disallow that, potentially preventing any clickjacking issues.
What do you think? I think that if MyBB really cares about security and aims to become a really secure application, a CSP is definitely going to be a vital thing to consider. I have to say I'm pretty shocked at the latest updates, in a few months MyBB has released 4 security updates, all involving very serious issues like XSS and SQL injection (very serious issues and at the same time apparently trivial to exploit and to prevent). It shocked me so much that I even started to consider moving to something else like PhpBB (but I have no experience with that so it might even turn out to be worse after all, who knows, even though they don't release security updates so frequently). Taking a quick look at the code I'm also not sure how SQL queries are made exactly, but I've seen code (in the DB_MySQLi class) that doesn't even use prepared statements and instead just relies on the fact that "hopefully" the query has been sanitized somewhere before calling the function. As I said, at the moment I'm not sure all MyBB installations are actually using those classes in that way, but I think that in any case nowadays it's about time all queries were parametrized with prepared statements.
I think MyBB 1.9 should try to improve its security with a CSP (content security policy). I think I already read such a suggestion on GitHub, but basically I guess this implies moving all javascript code in dedicated files (like general.js, etc.), and removing all javascript that is currently embedded in pages inside script tags. This way you can then use a CSP to only allow JS to be executed from JS files on the same domain. Of course this could be a problem for plugins that embed JS code directly in the body of the page (since the CSP wouldn't allow that anymore, preventing XSS), but plugins can always be updated to move their JS code to a dedicated file too (like plugin-whatever.js, etc.).
What do you think of this? I think it should be done in a major release (like 1.9) because it will involve changing a lot of the templates in the theme, and it is also likely to break compatibility with some plugins for the reason I mentioned above. So 1.9 seems a good release to implement this. Otherwise you will have to consider implementing it in another release (1.10?) but as I said that will involve changes in a lot of templates and breaking compatibility (which might not be planned for 1.10 and later releases, while it is already known and accepted that 1.9 will break backward compatibility). I don't know if it's too much work to do, but my impression is that all you need to do is move any JS code from the body of the page to some dedicated files.
Another thing that I think should be done by default with a CSP is to disallow the embedding of the forum in other pages (with iframes or similar) to prevent clickjacking. I don't think there is ever a good reason to embed a part of the forum in an iframe (or similar) in another page on another domain. Who is doing this, and what for? So all you need is a CSP directive to disallow that, potentially preventing any clickjacking issues.
What do you think? I think that if MyBB really cares about security and aims to become a really secure application, a CSP is definitely going to be a vital thing to consider. I have to say I'm pretty shocked at the latest updates, in a few months MyBB has released 4 security updates, all involving very serious issues like XSS and SQL injection (very serious issues and at the same time apparently trivial to exploit and to prevent). It shocked me so much that I even started to consider moving to something else like PhpBB (but I have no experience with that so it might even turn out to be worse after all, who knows, even though they don't release security updates so frequently). Taking a quick look at the code I'm also not sure how SQL queries are made exactly, but I've seen code (in the DB_MySQLi class) that doesn't even use prepared statements and instead just relies on the fact that "hopefully" the query has been sanitized somewhere before calling the function. As I said, at the moment I'm not sure all MyBB installations are actually using those classes in that way, but I think that in any case nowadays it's about time all queries were parametrized with prepared statements.
2018-10-01, 10:21 AM
^^good suggestion. All JS can be moved to the footer as well.
2018-10-01, 10:46 AM
When we get the alpha?
2018-10-01, 12:27 PM
(2018-10-01, 08:55 AM)reed Wrote: [ -> ]What do you think? I think that if MyBB really cares about security and aims to become a really secure application, a CSP is definitely going to be a vital thing to consider. I have to say I'm pretty shocked at the latest updates, in a few months MyBB has released 4 security updates, all involving very serious issues like XSS and SQL injection (very serious issues and at the same time apparently trivial to exploit and to prevent). It shocked me so much that I even started to consider moving to something else like PhpBB (but I have no experience with that so it might even turn out to be worse after all, who knows, even though they don't release security updates so frequently). Taking a quick look at the code I'm also not sure how SQL queries are made exactly, but I've seen code (in the DB_MySQLi class) that doesn't even use prepared statements and instead just relies on the fact that "hopefully" the query has been sanitized somewhere before calling the function. As I said, at the moment I'm not sure all MyBB installations are actually using those classes in that way, but I think that in any case nowadays it's about time all queries were parametrized with prepared statements.
phpBB is worse in my opinion in terms of security issues that you have mentioned in your post.
The development team of phpBB is not very customer-oriented and most likely will not implement your ideas/concepts that you have mentioned in your post.
Whether or not the development team of MyBB will implement your suggestions depends on the timing of the upcoming 1.9.xx releases (Alpha, Beta, and Public).
Your suggestions are valid, but I wish you had posted this like 6 months ago so that it would have been given serious consideration and possibly implemented into the 1.9.xx release.
2018-10-01, 01:22 PM
The idea of managing javascript has been mentioned on the open forum before. And it's not too late if the team wants to make that part of the 1.9 release. Now is probably the best time, because when it does get done it will break a lot of themes, so may as well be now with the switch over to 1.9
2018-10-02, 10:03 PM
Guys please, I'm dying for mybb 1.9. Surely you can release it by November? 