MyBB

Ryan Gordon · 2006-02-15, 10:21 PM

Security first. Everything second

(When life needs it, mastercard is there)

sorry, just thought I'd throw that in xD

Lee69 · 2006-02-16, 05:07 PM

WDZ Wrote:
Quote:Versions will be released appending to the current MyBB 1.0 series. For example, MyBB 1.04, 1.05 and so on.

It also means you should keep a close eye on the MyBB forums for the next few weeks ...
So does this mean that MyBB 1.2 won't be released for at least "a few weeks"?

It doesn't make much sense to me why you'd start focusing on the MyBB 1.0 code now, when so many bugs have already been fixed in the 1.2 code... wouldn't your time be better spent trying to get 1.2 out ASAP?

No, because then bugs and security exploits in 1.0 will be in 1.2 too.

Dennis Tsang · 2006-02-17, 12:19 AM

WDZ Wrote:It doesn't make much sense to me why you'd start focusing on the MyBB 1.0 code now, when so many bugs have already been fixed in the 1.2 code... wouldn't your time be better spent trying to get 1.2 out ASAP?

1.2 isn't a complete rewrite of the code, so there are going to still be code from 1.0 and before, and may still contain bugs Sad

Chris Boulton · 2006-02-17, 04:14 AM

Our focus is on the 1.2 code, however any issues we find will also be fixed for 1.0 due to 1.2 being a while away.

Marc O' Connor · 2006-02-17, 03:48 PM

Chris Boulton Wrote:
Lee™ Wrote:This is very unprofessionally, since something like this should be done daily (in terms of staff analysing code).
We can't just analyse over 10,000 lines of code and expect to find "every little thing".

The recent exploits, especially the one which required PHP's register_globals to be turned on, are very difficult to spot - especially since they only occur under certain server conditions.

We do analyse code daily too, we analyse new code that is coming in to MyBB. We still have the old code which needs to be looked after too.

So why not include a ".htaccess" with MyBB in the Package that turns off register_globals?

Michael S. · 2006-02-17, 06:55 PM

Marc O' Connor Wrote:So why not include a ".htaccess" with MyBB in the Package that turns off register_globals?

That't won't work with all hosts as some do not allow to edit the php configuration via htaccess.

laie_techie · 2006-02-23, 06:12 AM

I'm shocked people are still running code with regester_globals turned on. I've totally reworked my php.ini file to remove all the general security holes I could think of. It also involved removing cookies as a source to the $_REQUEST super global.

Speaking of register_globals, I think we should change the extract calls in inc/init.php to include a prefix. As is, it mimics register_globals (and we all know how dangerous that is, right?).

Dennis Tsang · (This post was last modified: 2006-02-23, 06:45 AM by Dennis Tsang.)

Edit: the extracts have already been removed from the next release.

PhaTTy · 2006-05-31, 07:00 PM

Any idea when we can expect a new release, if not for anything more than the security issues?

Christian · 2006-05-31, 07:49 PM

PhaTTy Wrote:Any idea when we can expect a new release, if not for anything more than the security issues?

http://wiki.mybboard.net/index.php/Versions

Login
Username:
Password:	Lost Password?
	Remember me