Is MyBB more or less secure than SMF?

Hi there!
A friend of mine is running a forum on phpBB and I decided to let his forum be transfered to my server because his host is crappy.
But I made one condition: he must drop phpBB and go with either MyBB or SMF.
Him only knowing phpBB he has no idea which to choose.
I personally prefer the handling and features of MyBB, but I've heard good things about SMF being very secure.
And with security being a really important thing to me, I'd like to hear some opinions please.

There will be no add-ons/plugins used - it's just a simple forum.

 

I don't know much about the security of SMF but I want to say MyBB is indeed more secure. If not, there's nothing wrong with MyBB's security as far as I know. Justin, our MyBB mentor, will be able to expand on this for you.

 

I recommend that you try not to take a snapshot of this very second, or even the past week or month and use that as a basis for a security question.

mybb is new and its supposed to be secure.

smf is seasoned and is secure.

On other webmaster forums that I am a member of, I have been seeing more mybb forum owners asking for help because their site was hacked, then smf owners. Even in the official smf forum, I rarely see anyone post that their site has been hacked.

Because mybb is so new, its difficult to compare it to a seasoned piece of software like smf. sure, you can say that mybb is more secure. But what about next week or next month?

I would pick smf because of how the developers have dealt with security issues in the past. Usually a fix is released in a matter of days. And a temporary work around is posted the day the exploit is announced.

 

Thanks for the replies guys. Kevin you make some good points. Looking forward to some more posts though. A little pro/contra stuff. I'm sure there are SMF fans and MyBB fans around here just as there are IPB and vB fans.

How long has MyBB been around? And what are its roots (if any)? Same for SMF. How long has that been around?

 

MyBB for sure.

At the moment, I can't find the article for the questions you asked above that includes answers, but I am on the hunt.

However, I find MyBB more secure than SMF.

 

I'd be interested in hearing Justin's response to this question. Personally, I can't comment - I don't have nearly enough knowledge and/or experience when it comes to the security aspect of these two scripts.

 

I don't see this at all Kev. Usually when people are hacked they either have old versions or they run additional software. As the owner of HackForums.net which runs Mybb I can tell you that mybb is very secure.

 

I was hoping that you would find your way here. This forum needs a mybb spokes person and your the right person for the job.

You know me as ~kev~ at digitalpoint.

Welcome to the community.

 

I agree with Kevin. It's nice to have you, Labrocca! If you stick around, we wouldn't mind having another MyBB Mentor.

 

Welcome to AdminAddict, Labrocca!

I'm also glad to have you here; my sites are avid users of MyBBCentral!

 

MyBB is hardly "new" anymore. MyBB has roots back to 2002. MyBB 1.0 was released in December 2005. That's nearly 4 years ago. 1.2 was released in September 2006. 1.4, August 2008. Sure, it's newer compared to some of the other forum softwares, but it's definitely not "new."

Regarding security... I'm not going to compare it with SMF as I know nothing about SMF when it comes to security, but as labrocca said, MyBB is very secure. MyBB 1.4.2 was the result of a professional security audit.

(By the way, nice to see you here, labrocca! )

 

Oddly the latest 1.4.7 release yesterday was a security release. I had a breach at HackForums.net and upon investigating it along with Ryan Gordon of the Mybb Developer team we tracked it down. I can only assume a white hat group was testing the exploit on my site but apparently no harm was done.

As far as I know...the latest release has stopped any sites from being hacked. At least I hope that all the mybb users in this thread update asap. It's 2 files so please update.

This in no way means mybb is not secure. Bugs and security updates are common in all software. When I alerted Ryan about the breach we quickly worked to fix it and even though the security hole wasn't released public (milw0rm) Ryan recognized the need for an immediate security release and within an hour had it announced. That really impresssed me.

Mybb takes security very seriously. I know that SMF does as well but I can't say it's more or less secure. However the last time SMF had a public released security hole it took them about 3 days to release a patch. That's imho unforgivable.

In the 1.2x series Mybb was plagued with security issues but so were many software as XSS and SQL injection techniques grew more complex. Heck php itself had to really beef up it's own functions like mysql_escape_string which didn't do the job right.

Then a new IE image hole appeared which effects sites all across the web including popular image hosting scripts.

So basically these things happen and again...what's important imho is how serious the developers take security. Mybb takes its' security very seriously. It's free software and they paid for a legitimate security audit. That's impressive imho. That audit produced a great deal of changes and fixes that help secure mybb to this day.

The 1.4x series has had minimal security releases and I see very few "we got hacked" posts at their site. Yes they do happen but often it's a plugin, other software, the host, or outdated versions unpatched. None the fault of mybb.

 

I completely agree with your post, Labrocca, and yes, please do update!

We updated Bird is the Word yesterday, but have yet to update Setsou Design. We're waiting for something special.

 

I have the opposite opinion of having a fix released so fast - but I do not know the details of the exploit either.

When a security update is released, shouldn't it be reviewed by other developers before its released to the public?

Its important for things (anything in life) to go through a quality control measure and double checked before its released. But then again, this might have been a very simple fix that did not need to be double checked.

In defense of SMF and the 3 days - maybe that is how long the quality control measures took to run their course. But maybe not.

Before I got into computers, I worked in a welding shop. Everything we did was double checked by someone before the action was taken. Before a part was welded, it was checked by at least one more person that was qualified to double check the work. This was usually a someone from the Quality Control office. or it could have been a supervisor, or someone with several years experience.

The thing that I question, does smf and mybb have quality control measures in place. And that could explain the difference between a 1 day release and a 3 day release.

 

Yes and this mybb update was one line that was an obvious hole. One variable wasn't properly escaped. It had no effect on anything besides plugging the hole.

I agree about quality control but dammit...it was imho an emergency situation. milw0rm had a published exploit and dozens of sites were getting nailed. Their response was very slow. It makes you wonder how well the SMF dev team really knows their own code.

Mybb started a SQA (Software Quality Assurance) team this past year that does a great job of checking fixes. However a security update is very important. Having your site hacked is a serious threat. Some don't backup (stupid). Others have sensative information. Even some don't have the needed skills to fix their site after a breach.

Maybe mybb is built with a mid-level admin in mind. I am probably more adept than 90% of forum admins so having something simple isn't that important to me. I can fix just about anything. So maybe I am biased and for some Mybb is complex.


Before the update I am sure that he ran this past Chris Boulton before release. Like I said..it was essentially one line fix but vital.

 

No forum software can claim to be safe. The software can be safe one day and hacked the next.
As for 3 days, that's pretty fast to me. And when can the developers even say "it's a hack"? It's not something that happens from one moment to the next.

 

You're right, no software claims to be safe, but there are(can be) more vulnerabilities on one software than the other.

 

It really comes down to popularity. Who wants to hack a forum that is used by 20.000 users if you can hack a popular one used by 100.000.
I saw someone in here moaning about SMF not supporting Recapcha (there is a mod for that). Maybe I remember wrong, but as far as I know that captcha software has been hacked at least once. In the end, each software should have it's own sequrity controls to protect themselves.

 

I wouldn't really call SMF insecure. My own personal experience with a forum of ~1200 members has been that I was able to be literally weeks away from the forum and nothing collapsed. Ever since I started to manually validate all registrations, there has been no forum spam. Nada.

I was running the same version of SMF, without any updates, for around 4 years. During that time there were no successful hacking attempts. The forum must have been known to crooks, because spam scripts tried to flood it with automatic registrations numerous times, but with no success. So can't say it was because of the forum being well hidden.

My experiences with phpBB have been far worse. Especially everyone who remembers the 2.x series and all the repeated updates know what I speak of. It also speaks for itself very much that they even had to backport some structural fixes from Olympos, the back then future 3.0 release. SMF had the edge to phpBB, at least back then, because they started from scratch and had a healthy design right from the beginning. I very much believe the same goes for MyBB, despite I haven't yet run any site with it.

As for the original question, my advice isn't to ask if X is more secure than Y, but rather look at how the software is designed and how it works. phpBB 2.x had a horrible design, which meant endless patching. SMF hasn't had that, because they designed it properly from the beginning. I assume the same goes for myBB.

 

MyBB is better structured, to be sure, for all its flaws.

I was immune to the SMF exploit, myself - anyone running a decent Suhosin setup was - but that doesn't remove SMF's need for an audit. I'm not sure if I trust so-called professional audits, however - phpbb3 still parses certain user inputs as executable code.