InvisionPower cms Links to Titles utility Presistent XSS =========================================== #Author: UmPire #Version: 3.0 (Full details for version 3.1 patch is not mentioned. It's suspicious to affect all versions.) #Vendor URL: http://invisionpower.com #Product URL: http://community.invisionpower.com/files/file/3784-links-to-titles/ #Tested: Windows 7 ______________________________________________ IPB "Links to Title" mod converts links to the link's title. It converts "http://www.google.com" to "Google" and the href= remains http://www.google.com The problem is that it doesn't convert html tags to safe html characters. So if we use an html code in the title of the source page, it will be executed in the InvisionPower cms which "Links to Title" is installed on. ______________________________________________ #Product Detection: http://localhost:80/admin/applications/forums/sources/classes/linkTitlesFunctions.php ~ 200 OK #POC: Enter a link in invision power cms: http://localhost:80/test.html Contents of test.html: <html> <title> <script>alert('xss')</script> </title> </html> #Video: https://www.youtube.com/watch?v=ap23bnsK8Vg #Credits: Iran Security Group - iransec.net Thanks to Root.Smasher|Black V!per|ali ahmady|Mr.Moein|Sultan Brain|Alireza_Promis|M4hdi|Social Engineer|TaK.FaNaR|LinuxLover|Saeed.Jok3r Email: ranrep0ker@yahoo.com #TimeLine: 2014/04/30 --> Found the bug. 2014/05/03 --> Contacted IPS Official Site.(told me to contact the third-party author) 2014/05/04 --> Sent message to third-party author (programmer of "Links to Title") -> No reply 2014/05/05 --> Published the bug.