Here's a rather nasty persistent XSS vulnerability I found today in Kunena Forums. Using nested [img] tags, it is possible to inject script into the forums.
Here are some important highlights about this vulnerability:
- brackets, braces, spaces, and quotes cannot be used in payload
- BBCode must be enabled
- you proabably have to have an account (as on most forums)
- img url should be a known bad image, to trigger onerror event
- there MUST be a space between the second opening [img] tag and the onerror
Without further ado, here's the (rather short) code:
UPDATE: This XSS works in the signature field as well as the post message.
UPDATE 2: Nested [url] tags are similarly vulnerable, but require user interaction to execute as well as an ending double slash in the XSS to prevent the js engine from interpreting a hanging quote.
UPDATE 3: Kunena is a Joomla 1.5 implementation of Fireboard. As it turns out, Fireboard is also vulnerable to this attack vector.