# Exploit Title: NinkoBB 1.3RC5 stored XSS in Topic Subject field
# Date: 26-1-2011
# Author: Saif El-Sherei
# Software Link: http://ninkobb.com/wiki/releases
# Version: NinkoBB 1.3RC5
# Tested on: Firefox 3.0.15, , IE 8
# Vendor Notified: 26-1-2011, awaiting vendor response.
# Google Dork: "Powered By NinkoBB"-->around 1,720 target

Info:

NinkoBB is an open source forum script written in the PHP language and uses
a MySQL Database. NinkoBB is designed to be as simple as possible and
provide you with the key features that you need, all the while keeping the
space used on your server to a minimum. Built to be simple, small, and easy
to use with a user friendly install for a quick setup, painless upgrade
system, and easy to use admin panel for managing your forum. And includes
support for categories, plugins, languages, and themes.

Details:

User can execute arbitrary JavaScript code within the vulnerable
application.

when adding a new topic the subject field is not properly sanitized in the
message.php, an attacker could exploit this Bug to perform a Stored XSS
attack; affecting anywhere in the application where the subject field will
be displayed; for example in the:

Homepage displaying the latest topics:

http://evildomain.com/ninkobb/

the Category page where the topic is posted:

http://evildomain.com/ninkobb/?category=2

Notes:

the subject field in NinkoBb default installation has 32 characters length;
but this could be changed in the administration control panel thus the
attack POC would differ depending on the length limit.

POC:

<script>alert('XSS');</script>

Regards,

Saif El-Sherei

OSCP