Here's a rather nasty persistent XSS vulnerability I found today in Kunena Forums. Using nested [img] tags, it is possible to inject script into the forums.

Here are some important highlights about this vulnerability:

• brackets, braces, spaces, and quotes cannot be used in payload
• BBCode must be enabled
• you proabably have to have an account (as on most forums)
• img url should be a known bad image, to trigger onerror event
• there MUST be a space between the second opening [img] tag and the onerror

Without further ado, here's the (rather short) code:

[img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]

UPDATE: This XSS works in the signature field as well as the post message.

UPDATE 2: Nested [url] tags are similarly vulnerable, but require user interaction to execute as well as an ending double slash in the XSS to prevent the js engine from interpreting a hanging quote.

[url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]

UPDATE 3: Kunena is a Joomla 1.5 implementation of Fireboard. As it turns out, Fireboard is also vulnerable to this attack vector.