Hi!
I discovered myBB several weeks ago and found it a great system to implement plugins without changing any line of code. I'm already writing a plugin for phpBB for synchronisation issues that I will migrate to myBB.
The plugin was made especially for a dedicated site that is running phpBB by now. The question now is if myBB is capable of replacing phpBB.
I asked in a phpBB forum (my opinion is to ask where the most enthusiastic users are - just to make sure that they know everything about their own system).
There were two things that I need to make sure before proposing a change of our system.
First one: in myBB it doesn't seem to be possible to give special rights to a dedicated user - rights are always given to groups. Is there a change in sight? (with a new version?)
Second: Looking at security issues there are open problems according to that site:
http://secunia.com/advisories/product/44...statistics
phpBB has none (and much less overall)
http://secunia.com/advisories/product/17...statistics
Is myBB less secure?
Michael
(2010-05-10, 12:13 PM)ike Wrote: [ -> ]I'm already writing a plugin for phpBB for synchronisation issues that I will migrate to myBB.
Do you mean to convert from phpBB to MyBB? Because we already have a merge system
http://www.mybboard.net/downloads/merge-system
(2010-05-10, 12:13 PM)ike Wrote: [ -> ]First one: in myBB it doesn't seem to be possible to give special rights to a dedicated user - rights are always given to groups. Is there a change in sight? (with a new version?)
Do you mean for administrators or regular users? Because you can go ACP > Users & Groups > Admin Permissions and edit the administration permissions for each of your administrators individually. If you mean on a per user basis, you can just make a usergroup specifically for that user.
(2010-05-10, 12:13 PM)ike Wrote: [ -> ]Second: Looking at security issues there are open problems according to that site:
http://secunia.com/advisories/product/44...statistics
I can assure you that security is taken very seriously by the developers. Those statistics aren't a very good indication of security (it even has a disclaimer on that site about it) because it includes all versions of MyBB from 1.0 - 1.4 and given the way our version system works this is actually a huge version span, of 3 major versions and over 30 minor versions. I can't actually find what that unpatched vulnerability they mention is but I assume it is from a very old version of MyBB support was ceased for years ago and there are currently no known outstanding vulnerabilities within the supported versions of MyBB. I can also tell you that MyBB 1.4 has subject to a full Security Audit by
http://www.gulftech.org/ and a member here runs the largest "above ground" hacking forum safely on the MyBB platform (the forum has over 3 million posts and almost 200, 000 members). Further to this, even when a vulnerability is identified the developers go to huge length to patch it as soon as possible, I know in one specific example a developer here paid $13 at an internet cafe while on holidays just to contribute to a patch on a relatively obscure vulnerability. Overall I would say that MyBB is one of the most secure platforms available.
To defend the mybb vs phpbb security comparison a little further.
I would say remember 2.x of phpbb. 3 is pretty new while mybb has been on 1.x for a long time now. And, because of that probably has a little bit of old code that could be removed or updated. Hopefully with 2.0 MyBB will be more secure from version .0 as well the project will have more experienced developers and will be using the latest practices instead of updating an older system of practices that used to be standard.
Hi!
(2010-05-10, 12:43 PM)TimB. Wrote: [ -> ] (2010-05-10, 12:13 PM)ike Wrote: [ -> ]I'm already writing a plugin for phpBB for synchronisation issues that I will migrate to myBB.
Do you mean to convert from phpBB to MyBB? Because we already have a merge system http://www.mybboard.net/downloads/merge-system
No, it's a synchronisation tool to synchronize a forum with a newsserver. I already found the merge system and it seemed to work great.
Quote: (2010-05-10, 12:13 PM)ike Wrote: [ -> ]First one: in myBB it doesn't seem to be possible to give special rights to a dedicated user - rights are always given to groups. Is there a change in sight? (with a new version?)
Do you mean for administrators or regular users? Because you can go ACP > Users & Groups > Admin Permissions and edit the administration permissions for each of your administrators individually. If you mean on a per user basis, you can just make a usergroup specifically for that user.
Okay. So I have to make it on a group basis. What happens with the access rights when converting from phpBB to myBB? Are they converted to individual groups?
Quote:Those statistics aren't a very good indication of security (it even has a disclaimer on that site about it) because it includes all versions of MyBB from 1.0 - 1.4 and given the way our version system works this is actually a huge version span, of 3 major versions and over 30 minor versions. I can't actually find what that unpatched vulnerability they mention is
It's this one:
http://secunia.com/advisories/38941/
Quote:but I assume it is from a very old version of MyBB
No: "The vulnerability is confirmed in version 1.4.11. Other versions may also be affected."
Quote:I can also tell you that MyBB 1.4 has subject to a full Security Audit by http://www.gulftech.org/
Okay.
Quote:Overall I would say that MyBB is one of the most secure platforms available.
In my opinion FUDForum is more secure
- but it lacks several feature that are crucial for replacing our current system.
Michael
(2010-05-10, 01:08 PM)ike Wrote: [ -> ]It's this one: http://secunia.com/advisories/38941/
While one of the developers would have to confirm for sure if it had been patched or not, firstly it targets an old version and there is a high chance it has been patched in one of the two newer versions. Secondly I would consider that a very low risk because it would either require ACP access in the first place or you would have to specifically upload a theme that had the malicious code in it and this is no more likely than if someone included a Javascript file that captured login form input and sent it to a remote server in their theme.
I can confirm this bug/security problem. Well I know ryan has but they actually need Admin Access to the templates to perform this. So if you don't completely trust one of your admins simple don't give them access to the templates/themes and that security issue will never be a problem.
I'm not saying it shouldn't be fixed. But, it's pretty low and relies on someone having admin access.
It's an issue and it's been discussed in this thread, specifically in this post:
http://community.mybboard.net/thread-664...#pid477928
However, I still believe MyBB is very secure.
Not sure how this issue could be fixed, maybe check for the assert function in the theme when importing it?