CVE-2009-4449

Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
References
Link Resource
http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ Release Notes
http://dev.mybboard.net/issues/617 Broken Link
http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php Broken Link Exploit
http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php Broken Link Exploit
http://openwall.com/lists/oss-security/2010/10/08/7 Mailing List
http://openwall.com/lists/oss-security/2010/10/11/8 Mailing List
http://openwall.com/lists/oss-security/2010/12/06/2 Mailing List
http://osvdb.org/61359 Broken Link
http://secunia.com/advisories/37906 Broken Link Vendor Advisory
http://www.securityfocus.com/bid/37489 Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2009/3651 Permissions Required Vendor Advisory
http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ Release Notes
http://dev.mybboard.net/issues/617 Broken Link
http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php Broken Link Exploit
http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php Broken Link Exploit
http://openwall.com/lists/oss-security/2010/10/08/7 Mailing List
http://openwall.com/lists/oss-security/2010/10/11/8 Mailing List
http://openwall.com/lists/oss-security/2010/12/06/2 Mailing List
http://osvdb.org/61359 Broken Link
http://secunia.com/advisories/37906 Broken Link Vendor Advisory
http://www.securityfocus.com/bid/37489 Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2009/3651 Permissions Required Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mybboard:mybb:1.4.10:*:*:*:*:*:*:*

History

21 Nov 2024, 01:09

Type Values Removed Values Added
References () http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ - Release Notes () http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ - Release Notes
References () http://dev.mybboard.net/issues/617 - Broken Link () http://dev.mybboard.net/issues/617 - Broken Link
References () http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php - Broken Link, Exploit () http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php - Broken Link, Exploit
References () http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php - Broken Link, Exploit () http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php - Broken Link, Exploit
References () http://openwall.com/lists/oss-security/2010/10/08/7 - Mailing List () http://openwall.com/lists/oss-security/2010/10/08/7 - Mailing List
References () http://openwall.com/lists/oss-security/2010/10/11/8 - Mailing List () http://openwall.com/lists/oss-security/2010/10/11/8 - Mailing List
References () http://openwall.com/lists/oss-security/2010/12/06/2 - Mailing List () http://openwall.com/lists/oss-security/2010/12/06/2 - Mailing List
References () http://osvdb.org/61359 - Broken Link () http://osvdb.org/61359 - Broken Link
References () http://secunia.com/advisories/37906 - Broken Link, Vendor Advisory () http://secunia.com/advisories/37906 - Broken Link, Vendor Advisory
References () http://www.securityfocus.com/bid/37489 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/37489 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.vupen.com/english/advisories/2009/3651 - Permissions Required, Vendor Advisory () http://www.vupen.com/english/advisories/2009/3651 - Permissions Required, Vendor Advisory

26 Jan 2024, 17:46

Type Values Removed Values Added
References (CONFIRM) http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php - Exploit (CONFIRM) http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php - Broken Link, Exploit
References (VUPEN) http://www.vupen.com/english/advisories/2009/3651 - Vendor Advisory (VUPEN) http://www.vupen.com/english/advisories/2009/3651 - Permissions Required, Vendor Advisory
References (BID) http://www.securityfocus.com/bid/37489 - (BID) http://www.securityfocus.com/bid/37489 - Broken Link, Third Party Advisory, VDB Entry
References (CONFIRM) http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php - Exploit (CONFIRM) http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php - Broken Link, Exploit
References (CONFIRM) http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ - Patch, Vendor Advisory (CONFIRM) http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ - Release Notes
References (OSVDB) http://osvdb.org/61359 - (OSVDB) http://osvdb.org/61359 - Broken Link
References (CONFIRM) http://dev.mybboard.net/issues/617 - (CONFIRM) http://dev.mybboard.net/issues/617 - Broken Link
References (MLIST) http://openwall.com/lists/oss-security/2010/10/11/8 - (MLIST) http://openwall.com/lists/oss-security/2010/10/11/8 - Mailing List
References (MLIST) http://openwall.com/lists/oss-security/2010/12/06/2 - (MLIST) http://openwall.com/lists/oss-security/2010/12/06/2 - Mailing List
References (SECUNIA) http://secunia.com/advisories/37906 - Vendor Advisory (SECUNIA) http://secunia.com/advisories/37906 - Broken Link, Vendor Advisory
References (MLIST) http://openwall.com/lists/oss-security/2010/10/08/7 - (MLIST) http://openwall.com/lists/oss-security/2010/10/08/7 - Mailing List
CVSS v2 : 6.3
v3 : unknown
v2 : 6.3
v3 : 6.5

Information

Published : 2009-12-29 20:41

Updated : 2024-11-21 01:09


NVD link : CVE-2009-4449

Mitre link : CVE-2009-4449

CVE.ORG link : CVE-2009-4449


JSON object : View

Products Affected

mybboard

  • mybb
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')