# Exploit Title: NinkoBB 1.3RC5 stored XSS in Topic Subject field # Date: 26-1-2011 # Author: Saif El-Sherei # Software Link: http://ninkobb.com/wiki/releases # Version: NinkoBB 1.3RC5 # Tested on: Firefox 3.0.15, , IE 8 # Vendor Notified: 26-1-2011, awaiting vendor response. # Google Dork: "Powered By NinkoBB"-->around 1,720 target Info: NinkoBB is an open source forum script written in the PHP language and uses a MySQL Database. NinkoBB is designed to be as simple as possible and provide you with the key features that you need, all the while keeping the space used on your server to a minimum. Built to be simple, small, and easy to use with a user friendly install for a quick setup, painless upgrade system, and easy to use admin panel for managing your forum. And includes support for categories, plugins, languages, and themes. Details: User can execute arbitrary JavaScript code within the vulnerable application. when adding a new topic the subject field is not properly sanitized in the message.php, an attacker could exploit this Bug to perform a Stored XSS attack; affecting anywhere in the application where the subject field will be displayed; for example in the: Homepage displaying the latest topics: http://evildomain.com/ninkobb/ the Category page where the topic is posted: http://evildomain.com/ninkobb/?category=2 Notes: the subject field in NinkoBb default installation has 32 characters length; but this could be changed in the administration control panel thus the attack POC would differ depending on the length limit. POC: <script>alert('XSS');</script> Regards, Saif El-Sherei OSCP