What is AsmBB?

AsmBB is very fast and lightweight web forum engine written by JohnFound . (You are reading this article on AsmBB.org forum).

AsmBB is fully written in assembly language and uses SQLite as a database back-end. That is why it can work on really weak hosting and in the same time serve huge amount of visitors without lags and delays.

AsmBB is very secure web application, because of the internal design and the reduced dependencies. But it also supports encrypted databases, for even higher security.

In addition, AsmBB has very few requirements to the running environment:

• x86 Linux server.

  No matter 32 or 64bit. No need to have any specially preinstalled libraries.

  The smallest/cheapest VPS is fine. Shared hosting is fine as well (if supports FastCGI).

  A web server supporting FastCGI interface. AsmBB has been tested with Nginx, Apache, Lighttpd, Hiawatha and of course RWASA.

AsmBB is easy for customizing and modifying - it uses pretty powerful template system that allows easy customizing of the forum without actually modifying the code. (which is not so hard though).

Download, install and hack

Download the binary package directly: asmbb.tar.gz (this link always points to the latest version of the binary package).

Follow the progress, report bugs and clone the source: AsmBB source repository

Install on your own server and have the fastest forum ever: Tutorial about installation with NGINX and systemd

Install for less than 2 minutes with RWASA: Video tutorial (on YouTube as well)

📢 Minor changes in this very forum:

+ Beautiful themes: Glass, Neumor, Poly, Brutal, Joly, Tailwind, Snes + Insert URL in minimag button will use selected text as anchor text + Email verfication will be send as in default lang setting + Some minimag fix + Implement page (for contact, TOS...) + Implement API

📢 Latest Official AsmBB releases v2.9 with changes:

1. One new responsive theme has been created, named "Urban Sunrise".

+ This is an attempt to really improve the forum appearance. ( feedback is welcome ). + Also, this theme contains really improved post editors with embedded extended help for the post formatting. + In addition it supports Unicode Emoji characters in really native way, both in the post editor and the real-time chat: 😃 🤖 🏆 🥇 + "Urban Sunrise" supports source code syntax highlighting (through the JS library). + The real-time chat now accepts multi-row posts, including source code.

2. Of course, all reported bugs has been fixed as well, both in AsmBB engine and in FreshLib library.

📢 v2.8:

+ Fixed several bugs, some of them critical. Thanks to the users of AsmBB and especially to ganuonglachanh for the helpful bug reports. + New theme, named "Modern" has been created. It is kind of universal and can be used both for desktop and mobile devices. + DDOS protection has been implemented for the rare cases AsmBB can't handle the requests rate. Now the engine can serve the users requests better when under attack. + URL analyzer for the MiniMag and BBCode parsers has been implemented in order to prevent XSS attacks in the user posted links.

📢 v2.7:

The main and major change in this release is the support for encrypted forum database. The great SQLite plugin SQLeet is used. According to the specification it supports:

+ PBKDF2-HMAC-SHA256 key derivation with a 16-byte salt and 12345 iterations. + ChaCha20 stream cipher with one-time keys. + Poly1305 authentication tags.

Of course, the encryption is optional and can be freely switched on and off from the administration settings panel (the new tab "Encryption").

Several minor bugs has been fixed in this release as well.

Why encrypted database?

Because the encryption can seriously increase the security and the privacy of the forum database.

The encryption key in AsmBB is never stored on the disk and only temporary stored in the RAM. That is why even serious security breach on the web server or the backup server, or the backup media will not compromise the database of the forum, the people account attributes or personal data.

The only known problem of this solution is that the encryption key must be entered on every forum engine restart (through the web interface). This way, on incidental server restarts, the forum will be not accessible for some time. But AsmBB is long living and very stable application so, such issues happen once a several months or even years.

Of course, using encrypted database makes the use of SSL/TLS mandatory.

📢 v2.6:

1. German translation

Although the German translation has been available in the v2.5 silent update of the binary pack, v2.6 is the first official version with German translation of the UI.

Thanks to the community, in v2.6 all other translations are improved as well.

2. Atom/RSS feed support.

The subscribing for themes and some way for push notifications was one of the most required feature.

In v2.6 these requests has been addressed by support for Atom/RSS feeds.

Now everyone can subscribe for the whole forum, for particular tag or for particular theme and get notifications when something is changed.

3. Real-time notifications engine

The handling of the server sent events (SSE) has been rewritten from scratch in order to handle all users in a uniform manner.

While in the earlier versions SSE was used only for the real-time chat, now the SSE service is flexible enough to be used for delivering notifications for many different forum events.

Such as new posts, other users activities, etc.

In addition now it serves all clients from a single thread, so arbitrary number of visitors can be served simultaneously with very little load on the server.

Currently only limited number of notifications are implemented, but as long as the infrastructure is ready and easy expandable, more features can be added later.

4. Bug fixes and speed improvements.

As usual all bugs discovered meanwhile has been fixed. And probably new introduced. But I believe the new bugs are less than the fixed bugs.

At least, on the demo server, there were no spontaneous crashes or memory leaks detected during the whole period between the releases.

The new SSE handling service improves the speed of event processing, especially on high and very high loads of the forum.

5. Updated SQLite and MUSL libraries

Of course, the binary package contains the most recent versions of SQLite and MUSL.

📢 v2.5:

1. User interface i18n

The first major new feature in this release is the internationalization of the engine. Now every user can choose different language for the user interface of the forum. Currently are available 4 languages: English, Bulgarian, Russian and French.

Notice, that some mistakes in the translations are possible and expected, so please, post your corrections and they will be fixed.

Great thanks to macadoum for the French translation.

2. Second markup language - BBCode

A parser for BBCode has been developed and now AsmBB understands two markup languages ( MiniMag and BBCode).

In addition BBCode allows creation of scripts for migration from another forum engines, because BBCode is the most popular forum markup language.

3. Second email send mechanism

Now it is possible to use external programs (such as sendmail) for sending emails to the forum users. This mechanism makes installation easier in the cases where no email server is installed.

4. The usual performance improvements and bug fixes.

As usual the new release is faster than the previous and all detected bugs has been fixed. Of course, bugs and misbehaviours are still possible, so report them here and they will be fixed quickly.

📢 v2.4:

+ Now is possible to attach files to the posts. The attachments permissions are managed per user. + "Limited access threads" were implemented. LAT are something like private messages on steroids. The owner of the thread can set some list of users that have access to the thread. The thread is invisible for the other users and can be used for private conversations. + Improved users permissions management. The users permissions can be edited by the administrator from the user profile. Separate permissions for the not logged-in visitors (anonymous users) were implemented. This way, now is possible to make closed forum, where only the registered users will be able to read the threads. The registration of new users can be closed as well, creating totally private forum closed for the outer world. + The real-time chat service was refactored in order to serve all connections in single thread. Now almost unlimited number of visitors can chat. Now the chat can be merged with the main forum pages with very minor performance degradation. + And of course, the new version is about 20% faster than the older versions, after the optimizations of the template rendering engine, the scheme of the database and the SQL requests. + New "Terminal" skin was developed for the lovers of the console user interface. + All revealed bugs were fixed. + The structure of the source code was changed as well. Now the dependency binary files (musl and sqlite library) are removed from the repository and instead a building script was developed that to download from Internet and build the latest versions of these libraries. This way only the latest versions of these libraries will be released with AsmBB.

📢 v2.3:

This is mainly fine-tuning and maintenance release, but two serious bugs have been fixed as well. Here is the change list:

+ Several serious regressions were fixed. + The skins were reworked in order to provide more accessibility. Particularly all background images were replaced with <img> tags with respective "alt" texts. Now even with images switched off, the forum can be used flawlessly. Some skin design issues have been fixed as well. + The JS code for the chat has been cleaned up and accelerated a little.

📢 v2.2:

+ Persistent login for the users that prefer it. It is off by default. + Reset password procedure. + Implemented "Categories" type of navigation, based on the tags system. This way the users can set their own categories. + New theme MoLight : it is a mobile theme, the same style as Light theme. + Administrator debugging tool !debuginfo + Preserving the post edit/delete history and allows to restore them. + Improved the UI of the post editor, included some help texts where needed. + Improved JS code for the real time chat.

📢 v2.1:

+ Optional persistent login (default: off) for the users don't wanting to login on every visit. + "Reset password" - the most questionable new feature, because by its very nature, this is kind of security hole. :) The feature requires valid email and is accessible as a link in the !login form. + "Users list" a not_so_important feature but still useful, all users in one list, accessible on !userlist + Chat code updated with many new features: automatic anti-scroll to allow reading the old messages while the people chatting. Notification about missed messages in the tab header allows to follow the conversation without using pop-up notifications. Change of the nickname color, when the user switches to another tab. Speed optimized loading of the old messages on startup/refresh. (yes JS is slow,but still allows some speed optimizations

📢 v2.0:

1. Performance

The main AsmBB component, the templates render (`render.asm`) has been replaced by ` render2.asm`. Rewritten from scratch it uses more "assembly style" algorithms. As a result it is faster and uses less memory, compared with the old implementation.

In addition, all chained string comparisons in the URL parsing logic, has been replaced by hash tables accelerating the common logic of the engine.

This way the speed of AsmBB was approximately doubled. Now it is much harder to overload the engine and it can handle even more visitors simultaneously.

2. The code security

After serious testing with different web application testing tools (including OWASP ZAP and Tinfoil security) some vulnerabilities has been discovered and fixed.

The hard fuzzing and near DDOS loads of the above tests, as a side effect, revealed several obscure resource and memory leaks, that has been fixed as well.

In order to track the leaks easier, was implemented a debugging tool that collects statistics about resources and memory allocations and deallocations and report them on a web page.

As a result I am pretty confident that v2.0 is clean from memory leaks and SQLite hanging statements.

📢 Latest Official AsmBB releases v3.0 with changes:

1. Many new features was added. Direct paste images as an attachments, support for YouTube video embedding, unified post/thread editor (which simplifies the code and the templates), threads ranking.

2. The skin "Modern" was removed from the project, because of its low quality.

3. This v3.0 introduces incompatibilities with the older versions. Both in database and template structures.

Because of the SQLeet project discontinuation, was added support for SQLite3MultipleCiphers encryption extension. (the binary release package is compiled with it)

All the bugs and vulnerabilities revealed was fixed. The most several bugs was discovered as a result of the hxp CTF event.

Update of the database from v2.9.1 to v3.0:

As long as the database structure was changed, before updating the binaries to v3.0, modify the existing databases:

1. Decrypt the database, before modifying. Notice, that the new SQLite3MultipleCiphers library is used in a mode not compatible with the previous SQLeet library. You must decrypt the database before migrating to v3.0 and then you can encrypt it again with the new library.

2. Make a backup in case something goes wrong.

3. Execute in the SQLite console the following commands (simply copy and paste, there is no parameters to adjust):

    insert into Params values ('nu_post_interval', 0);
    insert into Params values ('nu_post_interval_inc', 0);
    insert into Params values ('nu_max_post_length', 0);

    alter table Users add column LastPostTime    integer default 0;
    alter table Users add column PostInterval    integer default 0;   
    alter table Users add column PostIntervalInc integer default 0;   
    alter table Users add column MaxPostLen      integer default 0;

    alter table Attachments add column userID integer references Users(id) on delete cascade;

    create index idxAttachmentsCombined on Attachments(postID, userID);
    create unique index idxAttachmentsUnique2 on Attachments(userID, md5sum);

    drop index idxUserLogGroup;

    alter table Threads add column Rating integer default 0;

    create table ThreadVoters (
      threadID integer references Threads(id) on delete cascade on update cascade,
      userID   integer references Users(id) on delete cascade on update cascade,
      Vote     integer
    );

    create unique index idxThreadVoters on ThreadVoters(threadID, userID);

    create trigger ThreadVotersAU after update on ThreadVoters begin
      update Threads set Rating = Rating - old.Vote + new.Vote where id = new.threadID;
    end;

    create trigger ThreadVotersAD after delete on ThreadVoters begin
      update Threads set Rating = Rating - old.Vote where id = old.threadID;
    end;

    create trigger ThreadVotersAI after insert on ThreadVoters begin
      update Threads set Rating = Rating + new.Vote where id = new.threadID;
    end;

    drop trigger PostsAI;
    drop trigger PostsAD;

    CREATE TRIGGER PostsAI AFTER INSERT ON Posts BEGIN
      insert into PostFTS(rowid, Content, Caption, slug, user, tags) VALUES (
        new.id,
        new.Content,
        (select Caption from Threads where id=new.threadid),
        (select slug from Threads where id = new.threadid),
        ifnull((select nick from users where id = new.userid), new.anon),
        (select group_concat(TT.Tag, ", ") from ThreadTags TT where TT.threadID = new.threadid)
      );
      insert into PostCNT(postid,count) VALUES (new.id, 0);
      insert or ignore into ThreadPosters(firstPost, threadID, userID) values (new.id, new.threadID, new.userID);

      update Users set PostCount = PostCount + 1, LastPostTime = strftime('%s', 'now'), PostInterval = max(0, PostInterval + PostIntervalInc) where Users.id = new.UserID;
      update Threads set PostCount = PostCount + 1 where id = new.threadID;
      update Counters set val = val + 1 where id = 'posts';
      update Tags set PostCnt = PostCnt + 1 where Tags.tag in (select tag from ThreadTags where ThreadID = new.ThreadID);
    END;

    CREATE TRIGGER PostsAD AFTER DELETE ON Posts BEGIN
      delete from PostFTS where rowid = old.id;
      delete from ThreadPosters where threadid = old.threadid and userid = old.userid;
      insert or ignore into ThreadPosters(firstPost, threadID, userID) select min(id), threadid, userid from posts where threadid = old.threadid and userid = old.userid;

      update Users set PostCount = PostCount - 1 where Users.id = old.UserID;
      update Threads set PostCount = PostCount - 1, LastChanged = (select max(P.postTime) from posts as P where P.threadID = old.threadID) where id = old.threadID;
      update Counters set val = val - 1 where id = 'posts';
      update Tags set PostCnt = PostCnt - 1 where Tags.tag in (select tag from threadtags where threadid = old.threadid);

      insert or ignore into PostsHistory(postID, threadID, userID, anon, postTime, editUserID, editTime, format, Content) values (
        old.id,
        old.threadID,
        old.userID,
        old.anon,
        old.postTime,
        old.editUserID,
        old.editTime,
        old.format,
        old.Content
      );
    END;

    insert into Messages VALUES ('error_too_early','Simple, deep, and still.
    The old masters were patient.
    Without desires.','Try to do it later!',NULL);

4. After updating the database scheme you can stop the engine and replace the binary files ( engine, ld-musl-i386.so and libsqlite3.so)

5. While engine stopped, replace the whole templates/ directory with the new one.

6. Start the engine again.

7. Check the updated forum for problems.

8. If everything seems to works OK, you can encrypt the database again (if you prefer so) from the AsmBB settings page.

Enjoy!