Yet another Bulletin Board (YaBB) 2.5.2 and earlier allow arbitrary code execution through a combination of file uploads with predictable locations and unsanitized use of the "guestlanguage" cookie in file paths. This problem is similar to CVE-2007-3295. References: http://www.yabbforum.com/community/YaBB.pl?num=1367511332 http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1367511256 In Load.pl find: CodeSelect All if ($yyCookies{'guestlanguage'} && !$FORM{'guestlang'} && $enable_guestlanguage) { $language = $guestLang = $yyCookies{'guestlanguage'}; } replace with: CodeSelect All if ( $yyCookies{'guestlanguage'} && !$FORM{'guestlang'} && $enable_guestlanguage ) { opendir DIR, $langdir; my @langDir = readdir DIR; closedir DIR; @lang = (); foreach my $langitems ( sort { lc($a) cmp lc $b } @langDir ) { chomp $langitems; if ( ( $langitems ne q{.} ) && ( $langitems ne q{..} ) && ( $langitems ne q{.htaccess} ) && ( $langitems ne q{index.html} ) ) { push @lang, $langitems; } } $ccheck = 0; $clang = q{}; for my $lng (@lang) { if ( $yyCookies{'guestlanguage'} eq $lng ) { $clang = $lng; $ccheck = 1; last; } } if ($ccheck == 1) { $language = $guestLang = $clang; } } And I'm sure Carsten will have a much neater way of doing this. While I can't confirm that the security vulnerability has ever been exploited against a YaBB Forum, I'm pretty sure that the original code allows for the possibility of bad stuff being passed into the $language variable - which is a very bad thing. The new code compares what's in the guestlanguage cookie against the possible valid options - the Languages in the Language folder on the server. If it's not a valid value, it doesn't get passed along. (At least that's how it should work.)