CVE-2009-4449

Name of the Vulnerable Software and Affected Versions MyBB versions 1.4.10 and earlier

Description The issue allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters when changing the user avatar from the gallery. This is related to the files (1) admin/modules/user/users.php and (2) usercp.php.

Recommendations For MyBB versions 1.4.10 and earlier, as a temporary workaround, consider restricting access to the avatar and gallery parameters in the usercp.php file until a patch is available. Additionally, limiting the ability to change the user avatar from the gallery may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.