Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
MyBB Vulnerability Releases
#11
What about admins who do not upgrade the MyBB forum software for 6-7 years?

Some websites are still using the MyBB 1.6.xx series.

What is MyBB.com supposed to do about those?
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: 5M7sb0n.png?1]
Reply
#12
(06-16-2019, 09:20 PM)Euan T Wrote: True, but do you log in to the ACP every day?

Yes.

(06-17-2019, 05:53 PM)Devilshakerz Wrote: MyBB at this time maintains 3 official, separate announcement channels which administrators can (and should) subscribe to. Any out-of band notification, announcement, patch, or leak would unnecessarily endanger end users, administrators, and servers.

3?

  1. MyBB Blog.
  2. MyBB Security Twitter which just tweets the link to MyBB blog posts.
  3. MyBB Twitter which mainly just tweets the link to MyBB blog posts. In the past year only two tweets were not linked to MyBB Blog posts. One talking about mybb.com's new design and one talking about MyBB 1.9 theme progress.

So really there is the MyBB blog and then Twitter accounts that link to the blog.

-

While never having been a part of the MyBB team, I have written code for MyBB for a long time. I'm going to try to give a clear and concise opinion on how I would imagine the flow of events for security conflicts:
  • MyBB receives notice of a security vulnerability.
  • MyBB actively works towards finding a solution. If the team alone cannot find a solution then a trusted 3rd party is contacted for assistance. If no solution, outside assistance, or trusted party can be found then MyBB has an obligation to immediately release security vulnerability details to the community so that somebody can quickly find a solution.
  • Once a solution is provided the MyBB team can provide step-by-step patch instructions (queries, code changes, template changes) AND also a security fix script for those who prefer an automatic process. This should be done as soon as a working, tested solution has been found. Both should be provided because some admins are able to use upgrade/fixit scripts and some admins manually apply patches.

Of course not every vulnerability needs this level of due diligence... but some do.

I like to consider vulnerability reports as public knowledge. I don't assume that nobody else knows of the vulnerability. People brag. People talk. If the MyBB team receives a vulnerability report then you simply cannot assume that a non-malicious party doesn't have the same knowledge. Security teams can report an issue to you and still use it to their advantage. Or they can disclose security details to additional parties beyond the MyBB team.

This is my outlook on security for an open source project. Everybody has a different stance on the subject but as a developer and long-term MyBB member I would like to share mine.
Developer @ HF for labrocca
Reply
#13
The other issue that everyone needs to consider is this...

Poorly coded plugins that make the whole website vulnerable.

This screenshot below is found on https://www.exploit-db.com/

Yea, yea, I know most of those are considered low-level exploits, but it still makes the website vulnerable. 

[Image: 97bda276b8974ac10709a572b48ed089.png]
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: 5M7sb0n.png?1]
Reply
#14
(06-17-2019, 08:12 PM)Serpius Wrote: What about admins who do not upgrade the MyBB forum software for 6-7 years?

Some websites are still using the MyBB 1.6.xx series.

What is MyBB.com supposed to do about those?
It's their fault, not mybb's.
Reply
#15
(06-17-2019, 08:08 PM)labrocca Wrote: @Devilshakerz, your reply is statements about how the system works but does not address potential changes (improvements imho) nor does it even provide your personal viewpoint on the matter.

As mentioned earlier, we also receive feedback on the other extreme (Full Disclosure vs No Disclosure), hence the general overview - feel free to criticize any point, and we'll include that in redesigning workflows for future branches.

Quote:@Devilshakerz, Do you believe that 6 weeks after a high-risk exploit is reported to MyBB is a reasonable time to notify the admins? A simple yes or no would suffice.
If you have release times in mind, reducing the discovery-to-solution period is one of the goals of organization & workflow changes.

If you mean pre-release heads-ups, both administrators and adversaries can prepare for more details, which are available immediately since MyBB is not a compiled application.

Quote:It's my view that anything that puts the admins into this situation should be high priority for the team. And if it's not then I think everyone should be aware of this and not report vulns to MyBB anymore and just make them public to force action. MyBB needs to at the very least review and discuss openly this policy.
(06-17-2019, 08:15 PM)xerotic Wrote: If no solution, outside assistance, or trusted party can be found then MyBB has an obligation to immediately release security vulnerability details to the community so that somebody can quickly find a solution.

Increasing priority for issues doesn't create blocks of available time for Team members; anyone is welcome to Get Involved to help.

Unexperienced administrators, which are part of MyBB's target audience, would be at significant disadvantage when information on vulnerabilities are available without a solution they could apply. Disclosure coordination transforms anarchy into solutions that are universal and standardized.
It might help understand your position better, @labrocca, if you clarify whether you generally agree with this approach (or prefer no embargoes or coordination regardless of development & release times).

(06-17-2019, 08:15 PM)xerotic Wrote: So really there is the MyBB blog and then Twitter accounts that link to the blog.
ACP is also included as a channel; pushing announcements to Discord is also included in the workflow, but should not relied upon as much.

(06-17-2019, 08:12 PM)Serpius Wrote: What about admins who do not upgrade the MyBB forum software for 6-7 years?

Some websites are still using the MyBB 1.6.xx series.

What is MyBB.com supposed to do about those?

End-of-life branches don't receive development nor security updates, and are not covered by the Program; this was underlined in 1.6's EOL announcements.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#16
(06-17-2019, 09:05 PM)Devilshakerz Wrote: Increasing priority for issues doesn't create blocks of available time for Team members; anyone is welcome to Get Involved to help.

Are these vulnerabilities (major security issues) public issues on Github for me to "get involved" in? Or are they hidden from the public so that I can't work on them?


(06-17-2019, 09:05 PM)Devilshakerz Wrote: Unexperienced administrators, which are part of MyBB's target audience, would be at significant disadvantage when information on vulnerabilities are available without a solution they could apply. Disclosure coordination transforms anarchy into solutions that are universal and standardized.
It might help understand your position better, @labrocca, if you clarify whether you generally agree with this approach (or prefer no embargoes or coordination regardless of development & release times).

You can't fix stupid. If you are afraid of making a blog post or reaching out to the greater MyBB community to fix a security vulnerability because you might confuse an inexperienced administrator then your priorities are wrong. Plus you are ignoring the greater aspects of my previous post. The condition for reaching out to the community if the team cannot solve the security vulnerability (either via lack of skill or time) is just that, a condition. Hopefully the time the team does have for the project can be prioritized to address security concerns FIRST. Lack of skill or time shouldn't give you a free pass to create a policy that leaves boards at risk for weeks or even months. That is absurd.
Developer @ HF for labrocca
Reply
#17
(06-17-2019, 09:26 PM)xerotic Wrote:
(06-17-2019, 09:05 PM)Devilshakerz Wrote: Increasing priority for issues doesn't create blocks of available time for Team members; anyone is welcome to Get Involved to help.

Are these vulnerabilities (major security issues) public issues on Github for me to "get involved" in? Or are they hidden from the public so that I can't work on them?

No; this includes joining the Team - in the case of security research we'd look at experience, past contributions (not necessarily limited to MyBB), and reputation.

Quote:If you are afraid of making a blog post or reaching out to the greater MyBB community to fix a security vulnerability because you might confuse an inexperienced administrator then your priorities are wrong. Plus you are ignoring the greater aspects of my previous post. The condition for reaching out to the community if the team cannot solve the security vulnerability (either via lack of skill or time) is just that, a condition.

This strategy is not expected to address public relations issues (we wouldn't emphasize vulnerabilities if we followed that path), but provide all administrators with a patch ready to apply before details are published, to avoid putting adversary actors at advantage. Requesting feedback to target a specific issue by publishing it would put them at risk.

This would be equivalent to resolving high-impact security problems by creating Issues on GitHub and waiting for Pull Requests: while administrators that observe the repository daily and are capable of applying suggested patches manually would benefit in this scenario, others (and their boards, including users) would be left vulnerable, which is not acceptable.

Coordination in this area allows to cover all reasonable cases (i.e. we still expect administrators to follow security news, if not also development), and hopefully faster in near future.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#18
(06-17-2019, 08:24 PM)Serpius Wrote: The other issue that everyone needs to consider is this...

Poorly coded plugins that make the whole website vulnerable.

This is about the core MyBB application, not stupid people who think they can code after a week and a echo "Hello World"; build.

If someone creates a plugin that makes a website vulnerable, that's on them, has nothing to do with MyBB.
[Image: kAhpvOW.png]
Reply
#19
@Devilshakerz I have PMd you with a reflected XSS vuln that has popped on my forum. Curious if this is what labrocca is speaking about...
Reply
#20
(06-18-2019, 01:59 AM)Ben Cousins Wrote:
(06-17-2019, 08:24 PM)Serpius Wrote: The other issue that everyone needs to consider is this...

Poorly coded plugins that make the whole website vulnerable.

This is about the core MyBB application, not stupid people who think they can code after a week and a echo "Hello World"; build.

If someone creates a plugin that makes a website vulnerable, that's on them, has nothing to do with MyBB.

You are correct that those plugins are not directly connected to MyBB's core code, but many admins do download those plugins from MyBB's Extend page assuming that those plugins are save to use only to find out later that was not the case at all.

Those admins have put their website in a vulnerable position without realizing this.

Many of those plugins use hooks into MyBB's core code to function, which opens the back door to the website.
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: 5M7sb0n.png?1]
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)