MyBB Community Forums

Hi everyone,

Yesterday MyBB released a security update in what's both a state of emergency on the east coast (several states at least!) of the USA (and likely elsewhere in the world - I only know about the hurricanes which are about to effect me but I hear there are more than one hurricanes out there right now), alongside a day of remembrance (9/11) where people are less likely to be working and checking for updates.

Currently the hurricanes threaten the lives of webmasters and our ability to respond to issues and install updates is somewhat limited at the moment.

Additionally you released an update on 9/11 which is a day of remembrance in the United States. Many people are with their families in memory of a tragedy and wouldn't of bothered to check for a MyBB Update.

Publishing the commit (https://github.com/mybb/mybb/commit/420b...089e9d4ca1) revealing a high risk security issue was irresponsible at the time it was disclosed. It should of waited until current disasters had calmed down a bit.

Can the development team please take a look at current events before publishing a security update and letting potential hackers "go wild" before we have time to safely install security patches during a time where both our lives are threatened and some of forced to remember a terrible event and wish to withdraw for the day?

Cordially,
Lunorian

This is a situation where the developers cannot win. If they wait to release the fix, then it is still very much out there and exploitable. The repository is public, so it's not like they can hide it from the public.

Alternatively, they release it, but people are busy.

In the end, releasing is the better option. Would you rather:

A. Have thousands of websites be vulnerable because they waited. Or...
B. Allow thousands of sites to be protected, while some may have to wait due to specific circumstances.

Personally, I prefer option B.

Hi,

and not all MyBB forums are hosted in the USA.

Even those updates are created by persons, they have to fix vulnerabilities ASAP, because maybe someone is using it before the fix/update.

Are you really implying the team should check World news prior to releasing a new version? May as well check train and flight cancellations too whilst they’re at it. This is absurd. I’d also advise not disclosing your forum version publicly.

There is simply no right time to publish a security release. While some users might be able to update their forums instantly others are on vacation or simply sleeping because it's happening in the middle of the night for them.
Also because MyBB is open source there is no way not to disclose vulnerabilities when releasing a new version.

Even if the team go for major world issues and find a better peaceful slot to release and disclose a security issue, people like OP will extend it to:
"Shame MyBB team, you have 2 billion users, 37 of the webmasters had borken their legs and hospitalized, 29 webmasters were newly married and were in honeymoon, 386 were dead drunk enjoying parties and 1 of them trapped by panther in an African safari while you have released the patch and disclosure. Who's gonna take the responsibility if any of the installation gets compromised?" (or likewise) ...

Or, I was eating my dinner when the release was done so you left my forum vulnerable because I was eating.

In no way are we saying that 9/11 is not important because of course it is a tragic moment but the principle is still the same.

It's yet another escape_string() issue, not the first (in this file), and not the last (in this file, too).

The solution is of course to escape / prepare statements in $db, not all over the place.

Unfortunately, easier said than done. But it has to be done at some point.

Or we'll never see the end of such issues.

(dat vibro-femote @Ben)

Notification reachability is a valid point, but most practical solutions would include automated updates and pre-release announcements with initial statistics on security issues & approximate release dates instead - both pose challenges, one mostly technical and the other mostly organizational, but we intend to have them in place once the groundwork is done.

As mentioned it's hard to avoid disclosing what changes in the codebase have been applied (and since we provide full source code, the repository is updated soon after notifications are sent out), but we have/recommend a soft embargo on full vulnerability details:

https://mybb.com/security Wrote:We recommend delaying the publication by at least 14 days starting from the day the solutions were officially published to give administrators time to update their installations before exploitation methods are widely known.