JComments 2.2.0.0 suffers from a persistent XSS vulnerability in the way it handles certain BBCodes. If [url] and [img] tags are available, the following malformed BBCode will result in code execution: ...

... are all patched in the latest (4.1.7 at the time of this writing). Malformed BBCode Persistent XSS, #1 a[img]b[img]c[/img]d[/img]e a[url=http://jeffchannell.com]b[img]c=''/style='position:absolute;top:-1px;left:-1px;width:999em;height:999em'/onmouseover='location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104,97,110,110,101,108,108,46,99,111,109)'/[/url]d[/img]e Malformed ...

... within 16 minutes, and after a bit of refining I managed to really mess things up. ;) My first major score occurred using malformed BBCode using mismatched url and img tags. Using this I injected 2 ...

does this have a bbcode injection? ...

The Joomla component Ninjaboard 0.5.0beta suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as a minor CSRF vulnerability and a minor Path Disclosure vulnerability. ...

... select 1,2,VERSION(),4,5,6,7,8,9,10,11,12 -- [img] BBCode [color] Tag XSS [color=red;xss:expression(window.r?0:(alert(String.fromCharCode(88,83,83)),window.r=1))]XSS[/color] [url] BBCode [img] ...

I figured I'd do a little blog posting about finding and exploiting XSS vulnerabilities in BBCode implementations. Not many sources exist for this type of information, and certainly none exist that I am ...

The Joomla component EasyBook 2.0.0rc4 suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. BBCode ...

The Joomla component ccBoard 1.1-RC suffers from a Cross Site Scripting vulnerability if certain conditions are met. The forum must be set up to use the internal HTML editor and not bbCode. This is the ...

The Simplest Forum BBCode Plugin 1.0.0 Beta 2 for Joomla suffers from a persistent XSS vulnerability that allows arbitrary injections of CSS rules. [color=#FF0000;font-size:100px]XSS[/color] Timeline ...

...  ' onmouseover='alert(String.fromCharCode(88,83,83)) ' style='color:expression(alert(String.fromCharCode(88,83,83))) [img] BBCode Tag XSS [img]http://pick.a.big/image.png' onmousemove='javascript:alert(String.fromCharCode(88,83,83))[/img]  ...

Hi. Thanks for the info, but how can we dissable bbcode?? ...

Textpattern 4.0.8, a PHP based CMS, has a unique approach to allowing user styled input: Textile. This BBCode-type markup allows users to easily style comments. It is also vulnerable to XSS. A few ...

The Joomla component Joo!BB 0.9.1 suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as Blind SQL Injection in its search feature. Nested [img] XSS [img]http://foo.com/fake.png ...

The Joomla component Agora 3.0.0 RC1 Rev.4 suffers from a Persistent XSS vulnerability. This can be exploited by uploading a malicious SWF file as an attachment then embedding it using the [swf] BBCode ...

Well, another XSS vulnerable BBCode implementation, this time on JTag Ticketing System. This is the exact same vulnerability I posted about earlier concerning WebAmoeba. [url=javascript:alert('xss ...

The Joomla component uddeIM is vulnerable to XSS injection in its BBCode implementation. Extra CSS parameters can be passed inside the [color] tag, and Internet Explorer versions before 8 will run scripts ...

... this vulnerability: brackets, braces, spaces, and quotes cannot be used in payload BBCode must be enabled you proabably have to have an account (as on most forums) img url should be a known bad ...

I found a nice little exploit for WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls ...