Hello! This is a vulnerability of Ikonboard 2.1.9 (possible other versions, probably all 2.x.x versions) when HTML is ON. Everyone can post a script that allows him to save the username and password of everyone who views the post and has Javascript enabled.
The pw is stolen by 2 scripts: 1 php script on my server, call it grap.php. If this file is opened like this: grap.php?user=STOLENUSERNAME&pass=STOLENPASSWORD, it saves user and pass in a file on my server. and: 1 javascript that is posted in the body of a post in the Ikonboard. It reads the cookie, extracts the username out of the cookie into the variable X , the password into the variable Y and opens a popup with the location being http://www.myserver.com/grap.php?user=X&pass=Y. The php script saves user and pass now. Stefan Walk