MyBB has issued a warning to users that the latest version of the programme contains a CAPTCHA-breaking flaw that may affect forum functioning.
The popular open-source software serves as the foundation for thousands of online forums. However, in June, version 1.8.27 accidentally introduced a programming vulnerability that affects CAPTCHA verification systems enabled by users.
The project's developers warned on October 3 that the problem affects reCAPTCHA v3 and hCaptcha invisible, two services meant to prevent harmful bots from flooding web pages with false traffic. According to the MyBB developers, validation efforts performed using CAPTCHAs, when applied on a forum, “appear broken and the verification can reject or accept attempts incorrectly”.
The problem, which has been reported on GitHub, was caused by the usage of the incorrect template and handlers for the CAPTCHAs.
Incorrect pointers in reCAPTCHA v3 have resulted in a faulty image verification prompt, possibly allowing the system to be circumvented.
In the context of hCaptcha, the incorrect handler may cause the feature to refuse all challenges.
MyBB advises that users move to an alternative technique for applying CAPTCHAs on their forums temporarily or manually apply forthcoming updates available on GitHub.
Version 1.8.27 is presently being stabilized, and a fix will be included in the next maintenance release.
Examine the builds
In addition to the CAPTCHA fix, MyBB has requested forum managers to check their error logging configurations. A read-only feature released in MyBB 1.8.27 requires XHTML code validation as it is created to give forum administrators a chance to notice any errors in a configuration error report– ahead of the planned full release of this feature.
Customized MyCodes, plugins, theme templates, or username styles that are incompatible with the next version may cause problems in the next build.
The developers stated, “After upgrading, validation errors will continue to be logged, but messages with problematic MyCode will not be displayed to prevent potential XSS attacks against your forums.”