YABB SE Double Encoded "user" Parameter SQL Injection
Versions <= 1.55
The YABB SE Team
None (Product Discontinued)
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public Disclosure
The vulnerability exists where the user supplied variable $user is processed by the urldecode() function twice, this allows for the %2527 (decodes to %27 decodes to ') SQL injection technique.
It is recomended that if you insist on continuing the use of this product, you remove the line which reads "$user = urldecode($user);" from all functions in "\sources\proflie.php".