Two security vulnerabilities in YaBB allows stealing users cookies and hijacking users accounts. Tested on: YaBB 1.40 & 1.41 Summary : YaBB is a leading provider of free, downloadable php forums for webmasters. Two security vulnerabilities in the product allows a remote attacker to steal users cookies, hijacking users accounts, and more. The issues discussed are : 1. Cross Site Scripting Vulnerability on the login procedure. 2. Unsecured changing profile method. *************** 1. Cross Site Scripting Vulnerability on the login procedure ****************** If we log into YaBB forums and enter invalid username/password, the forum displays the username and the password we entered, and it doesn't strip HTML tags from the password field, allowing us to write malicious HTML and JavaScript into the page. From now on, stealing the username cookie is pretty easy. The method for this is creating a css vulnerability in the target site, forcing him to send the cookie to an .asp file we have created. This can be done by this statement : http://target.com/forums/index.php?board=;action=login2&user=USERNAME&cookielength=120&passwrd=PASSWORD