Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/37489 | vdb entry third party advisory broken link |
| http://openwall.com/lists/oss-security/2010/10/08/7 | mailing list |
| http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php | broken link exploit |
| http://secunia.com/advisories/37906 | broken link third party advisory vendor advisory |
| http://openwall.com/lists/oss-security/2010/10/11/8 | mailing list |
| http://dev.mybboard.net/issues/617 | broken link |
| http://www.vupen.com/english/advisories/2009/3651 | permissions required vdb entry vendor advisory |
| http://openwall.com/lists/oss-security/2010/12/06/2 | mailing list |
| http://osvdb.org/61359 | vdb entry broken link |
| http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ | release notes |
| http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php | broken link exploit |