Description
MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message.
Remediation
References
Related Vulnerabilities
WordPress Plugin HTML5 AV Manager for WordPress 'custom.php' Arbitrary File Upload (0.2.7)
WordPress Plugin Multisite Global Search 'mssearch' Parameter Cross-Site Scripting (1.2.5)
Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4553)
WordPress Plugin Login rebuilder Cross-Site Request Forgery (1.1.3)