2019-06-16, 01:01 AM
So the latest 1.8.21 update fixes some very high risk exploits. Everyone appreciates the release so we can patch our sites but I found this today:
https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/
Turns out the MyBB team knew about these high-risk vulns about 6 weeks before the update. That's 6 weeks someone out there could have used those exploits to pwn every MyBB install.
MyBB has a policy of keeping reported vulns private until they release an update. This is a problem imho. It assumes many things.
1. That the person reporting the exploit is the one who found it.
2. That the person reporting isn't malicious.
3. That the person reporting won't tell others.
4. That no one else will find the exploit.
This is flawed thinking based on trust and assumptions. It's the wrong policy and I am asking that MyBB consider an immediate change.
Things I'd like to see.
1. A public notice of a security vulnerability within 48 hours of confirmed exploit.
2. A patch of that exploit within 7 days.
Some of us rely on our MyBB forums as part of our business. If the team is aware of an exploit their duty is to release it public, not to hide it for 6 weeks while we risk our livelihoods and reputation.
Please, consider an immediate change to the policy. I hope I get support from the community on this. MyBB often moves too slow and this is important.
And please don't argue that if you make a vulnerability public before a patch is made you risk the site being exploited. This week at least 3 sites that I know of were taken offline because of the 1.8.21 release. If you're a lazy admin that doesn't pay attention that's on you.
https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/
Turns out the MyBB team knew about these high-risk vulns about 6 weeks before the update. That's 6 weeks someone out there could have used those exploits to pwn every MyBB install.
MyBB has a policy of keeping reported vulns private until they release an update. This is a problem imho. It assumes many things.
1. That the person reporting the exploit is the one who found it.
2. That the person reporting isn't malicious.
3. That the person reporting won't tell others.
4. That no one else will find the exploit.
This is flawed thinking based on trust and assumptions. It's the wrong policy and I am asking that MyBB consider an immediate change.
Things I'd like to see.
1. A public notice of a security vulnerability within 48 hours of confirmed exploit.
2. A patch of that exploit within 7 days.
Some of us rely on our MyBB forums as part of our business. If the team is aware of an exploit their duty is to release it public, not to hide it for 6 weeks while we risk our livelihoods and reputation.
Please, consider an immediate change to the policy. I hope I get support from the community on this. MyBB often moves too slow and this is important.
And please don't argue that if you make a vulnerability public before a patch is made you risk the site being exploited. This week at least 3 sites that I know of were taken offline because of the 1.8.21 release. If you're a lazy admin that doesn't pay attention that's on you.