MyBB's upgrade component vulnerable to local file inclusion

MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

对路径名的限制不恰当(路径遍历)

MyBB 路径遍历漏洞

MyBB（MyBulletinBoard）是MyBB团队的一套用PHP和MySQL开发的免费且基于Web的论坛软件。该软件具有简单易用、支持多国语言、可扩展等特点。 MyBB 1.8.39之前版本存在路径遍历漏洞，该漏洞源于升级组件未正确验证用户输入，可能导致本地文件包含。

N/A

N/A