Hi,
I have a question about MyBB's security. On your Features page, the first thing that is mentioned is security. I did some reseach on this subject, but I'm not convinced yet.
In the past, MyBB has not proved to be very secure. Secunia has a lot of MyBB vulnerabilities listed.
http://secunia.com/advisories/search/?search=mybb
I also looked at the code, but I am missing some things, like centralized database security (to prevent SQL injection), centralized output security (to prevent XSS) and centralized authorization.
I don't mean this to offend, but for a project that claims to be secure, I can't find much to back this up. I hope someone can give me some prove of why this project is more secure than, for example, phpBB.
Actually phpbb isn't the best example anymore. With phpbb3 the security was really tight.
However MyBB has only had 4-5 security issues this year and they were corrected in a very timely manner. We even had an audit with the 1.4 release which caught a few things but it even missed somethings. Just the fact that they had an expensive audit should show how much they care about security.
(2009-11-21, 08:23 PM)Hiawatha Wrote: [ -> ]Hi,
I have a question about MyBB's security. On your Features page, the first thing that is mentioned is security. I did some reseach on this subject, but I'm not convinced yet.
In the past, MyBB has not proved to be very secure. Secunia has a lot of MyBB vulnerabilities listed. http://secunia.com/advisories/search/?search=mybb
I also looked at the code, but I am missing some things, like centralized database security (to prevent SQL injection), centralized output security (to prevent XSS) and centralized authorization.
I don't mean this to offend, but for a project that claims to be secure, I can't find much to back this up. I hope someone can give me some prove of why this project is more secure than, for example, phpBB.
Everything's escaped before being inserted into the database and everything's sanitized before being output to avoid XSS injections. Not sure what you mean by centralized authorization though
No software like this is ever 100% secure. We've had 2 high risk vulnerabilities found in over a year, that's not exactly a lot. We've had a lot of people saying their phpBB forum 'is constantly getting hacked', we don't get that many people getting hacked on MyBB. Almost all the people who get hacked are running old versions with known vulnerabilities, if we release a patch but people don't use it, and then get hacked, there isn't much we can do; there was an exploit in 1.4.6, it was patched quickly, some people were getting hacked two months later, still running 1.4.6. Some people have still been running something like 1.4.0 or 1.4.1, i.e. from before the audit, or versions many months old. Sometimes people have given files/folders unnecessarily high permissions, used bad passwords etc, or they've been hacked via a 3rd party script somewhere on their server. You won't find many support threads here about someone being hacked using the latest version and the cause being found to be in core MyBB, before the patch had been released, but many more about people running older versions.
(2009-11-21, 08:49 PM)Pirata Nervo Wrote: [ -> ]Everything's escaped before being inserted into the database and everything's sanitized before being output to avoid XSS injections. Not sure what you mean by centralized authorization though
But is there prove for what you are saying? There is a very big difference between 'secure code' and 'proven secure code'. I'm sure MyBB's code is secure, but it sure ain't proven secure. Take the database queries for example. I opened a random file: newreply.php. It contains several SQL queries in which parameters are inserted directory into the query. To make sure those insertions are safe, I have to trace every parameter to verify that its content is safe.
A 'proven secure' application applies to easy to verify safety rules. For example, it contains a database driver which offers secure communiation with a database and applies to a simple check that every query is done via this database driver. The only thing an auditor has to do is to verify the database driver and do the 'simple check' (should be as simple as, for example, a grep on the code). This does not apply to MyBB.
(2009-11-21, 09:13 PM)Hiawatha Wrote: [ -> ] (2009-11-21, 08:49 PM)Pirata Nervo Wrote: [ -> ]Everything's escaped before being inserted into the database and everything's sanitized before being output to avoid XSS injections. Not sure what you mean by centralized authorization though
But is there prove for what you are saying? There is a very big difference between 'secure code' and 'proven secure code'. I'm sure MyBB's code is secure, but it sure ain't proven secure. Take the database queries for example. I opened a random file: newreply.php. It contains several SQL queries in which parameters are inserted directory into the query. To make sure those insertions are safe, I have to trace every parameter to verify that its content is safe.
A 'proven secure' application applies to easy to verify safety rules. For example, it contains a database driver which offers secure communiation with a database and applies to a simple check that every query is done via this database driver. The only thing an auditor has to do is to verify the database driver and do the 'simple check' (should be as simple as, for example, a grep on the code). This does not apply to MyBB.
Not exactly, MyBB can be secure without something that escapes automatically everything before a query is executed, as long as the data is escaped before the queries are executed.
There are handlers like user handlers and post handlers which are responsible for escaping and verifying inputted data before being inserted into the database. Not everything has a respective handler, that's why MyBB provides a variety of functions(for example escape_string($var) which is part of the database class) that are used to escape data before being inserted into the database (or used in queries).
If you take a look at the init.php file, you'll notice that some security measures are taken before inputted data is used by the rest of the MyBB code.
I'm not a MyBB developer, I'm a plugin developer so I am not the correct person to answer you some of the questions but I have some depth knowledge of how MyBB works.
As you said before regarding Hiawatha, "prove that MyBB is not safe".
(2009-11-21, 08:23 PM)Hiawatha Wrote: [ -> ]Hi,
I have a question about MyBB's security. On your Features page, the first thing that is mentioned is security. I did some reseach on this subject, but I'm not convinced yet.
In the past, MyBB has not proved to be very secure. Secunia has a lot of MyBB vulnerabilities listed. http://secunia.com/advisories/search/?search=mybb
I also looked at the code, but I am missing some things, like centralized database security (to prevent SQL injection), centralized output security (to prevent XSS) and centralized authorization.
I don't mean this to offend, but for a project that claims to be secure, I can't find much to back this up. I hope someone can give me some prove of why this project is more secure than, for example, phpBB.
Our current codebase doesn't offer "automated" or a "centralized" security core. In MyBB 2.0 we plan to correct that.
As for your securina search page, I ask you how many of those vulnerabilities are real, and how old are they and what was our response times to fixing them?
As for the security of MyBB, MyBB is very secure. Just because it doesn't have a "centralized" security core does not mean that the software is riddled with vulnerabilities. If you find a vulnerability, please use the appropriate contact form on the MyBB website. Any issues are addressed in a very fast manner.
Thanks,
Ryan
(2009-11-21, 09:21 PM)Pirata Nervo Wrote: [ -> ]As you said before regarding Hiawatha, "prove that MyBB is not safe".
Just follow the Secunia link I posted earlier and you have your prove. I know, thoses issues are fixed, but it shows that a secure core is missing, otherwise those vulnerabilities wouldn't have existed.
(2009-11-21, 09:24 PM)Ryan Gordon Wrote: [ -> ]As for your securina search page, I ask you how many of those vulnerabilities are real, and how old are they and what was our response times to fixing them?
I use Secunia for many years to verify the security status of software and I they have proven to me to be trustworthy, but that's just my opinion. Even a single mention on secunia.com is enough for me to be alert for a project's security status.
(2009-11-21, 09:24 PM)Ryan Gordon Wrote: [ -> ]As for the security of MyBB, MyBB is very secure. Just because it doesn't have a "centralized" security core does not mean that the software is riddled with vulnerabilities. If you find a vulnerability, please use the appropriate contact form on the MyBB website. Any issues are addressed in a very fast manner.
I don't say that MyBB is riddled with vulnerabilities. But I hope that you understand the difference between 'secure code' and 'proven secure code'.
But again, I don't mention this to offend anyone. Just trying to get a good view of this project. What's the status for 2.0? Is there anything I can help with? I don't have time to do actual programming. But how about some design ideas or security auditing? I'm building my own secure CMS, called Banshee. (
http://www.hiawatha-webserver.org/banshee ) Maybe my design ideas can help MyBB. Please, take a look at my database drivers. It will give you an idea of what I mean with 'centralized database security'. Only thing an auditor has to do is audit the database driver, make sure everything is done via this driver (a 'grep -r mysql_query *' should return only one hit: the database driver) and that all queries are text-only, no included variables. I hope you agree that that's a lot easier than tracing all the variables-includes in the MyBB code.
www.hackforums.net
Well without making a log long long long long post, i hope that is quite explanatory on how we are secure. We have some mad hackers going at the forum, making MyBB much more secure. I can think of 3 major updates that happened because of it being attacked and stopped by its admin.
MyBB is really secure. Can it get more? Hell yes. Is it worth the extra code, that not all people may understand or use for that matter? That's up for the team to say what is needed. If you wanted to, you could make a perfect site, that is uncrackable. Would it ever finish loading after every security check? I dunno.
