Discuss: MyBB Security Update Blitz
#11
Security first. Everything second

(When life needs it, mastercard is there)

sorry, just thought I'd throw that in xD
#12
WDZ Wrote:
Quote:Versions will be released appending to the current MyBB 1.0 series. For example, MyBB 1.04, 1.05 and so on.

It also means you should keep a close eye on the MyBB forums for the next few weeks ...
So does this mean that MyBB 1.2 won't be released for at least "a few weeks"? [Image: msn_tongue.gif]

It doesn't make much sense to me why you'd start focusing on the MyBB 1.0 code now, when so many bugs have already been fixed in the 1.2 code... wouldn't your time be better spent trying to get 1.2 out ASAP?

No, because then bugs and security exploits in 1.0 will be in 1.2 too.
#13
WDZ Wrote:It doesn't make much sense to me why you'd start focusing on the MyBB 1.0 code now, when so many bugs have already been fixed in the 1.2 code... wouldn't your time be better spent trying to get 1.2 out ASAP?

1.2 isn't a complete rewrite of the code, so there are going to still be code from 1.0 and before, and may still contain bugs Sad
Dennis Tsang
Former MyBB Team Member
Web: http://dennistt.net
#14
Our focus is on the 1.2 code, however any issues we find will also be fixed for 1.0 due to 1.2 being a while away.
#15
Chris Boulton Wrote:
Lee™ Wrote:This is very unprofessionally, since something like this should be done daily (in terms of staff analysing code). Rolleyes
We can't just analyse over 10,000 lines of code and expect to find "every little thing".

The recent exploits, especially the one which required PHP's register_globals to be turned on, are very difficult to spot - especially since they only occur under certain server conditions.

We do analyse code daily too, we analyse new code that is coming in to MyBB. We still have the old code which needs to be looked after too.

So why not include a ".htaccess" with MyBB in the Package that turns off register_globals?
[Image: gzrsig.php]
#16
Marc O' Connor Wrote:So why not include a ".htaccess" with MyBB in the Package that turns off register_globals?
That't won't work with all hosts as some do not allow to edit the php configuration via htaccess.
Greets,
Michael
-------------
[Image: donation_drive_sig.png]
#17
I'm shocked people are still running code with regester_globals turned on. I've totally reworked my php.ini file to remove all the general security holes I could think of. It also involved removing cookies as a source to the $_REQUEST super global.

Speaking of register_globals, I think we should change the extract calls in inc/init.php to include a prefix. As is, it mimics register_globals (and we all know how dangerous that is, right?).
#18
Edit: the extracts have already been removed from the next release.
Dennis Tsang
Former MyBB Team Member
Web: http://dennistt.net
#19
Any idea when we can expect a new release, if not for anything more than the security issues?
#20
PhaTTy Wrote:Any idea when we can expect a new release, if not for anything more than the security issues?
http://wiki.mybboard.net/index.php/Versions
[Need Smilies? Get Me Smileys!


Forum Jump:


Users browsing this thread: 1 Guest(s)