# Author: Infern0_
# Contact: balut2@o2.pl
# Vendor: http://www.invisionpower.com
# Vulnerability: Persistent XSS
# Vendor informated at: 6 February 2013
# Solution: Disable possibility to use HTML in posts - in administrator panel. Default disabled in v.3.4.2 of IP.B, and code in quote tag is sanitized.
IP.B v3.4.1 is already a stable version of this software.
To reproduce this issue follow this steps(Sometimes you won't have to be logged in. It depend on forum preferences, because someone accept to write post for quests):
1.Go to some topic to add a post.
2. Click in BBCode icon to turn it on(enable that) and write this:
[quote name="<script>alert(document.cookie)</script>"]
Doesn't matter what here, for best something conrete to deceive another users
[quote]
3. Accept this post to send, and voila - here it is. Our persistent XSS.
As you can see vulnerable is variable 'name' in quote tag. You can enter there whatever you want to.