So, I just noticed a forum I regularly check into changed from phpBB to Invision Power Board, and in less than a day, I found an XSS (Cross-site scripting) vulnerability.

This was all jolly good and I had a few laughs with the admins as I changed the body font to Comic Sans in our private messages, but now it turns out that’s about as far as I can report it before I must register somewhere. I really can’t be bothered to register to report this issue, as the forum I’m on has disabled the offending BBCode, so I’ll just post it here.

The offending BBCode is the [twitter] BBCode, and the issue is that the user input isn’t properly sanitizised, so it’s very easy to take advantage of this. From a hackers standpoint, you can’t do onload on an <a> tag, so instead I inlined some style to it, and added an onmousemove event. I also made it self-destruct as to be more stealthy.

Here’s the code I conjured up as a result of this vulnerability, have fun:

[twitter]' style=font-size:0;width:5000px;height:5000px;position:absolute;margin-top:-1000px;margin-left:-1000px; onmousemove='body.style.fontFamily="Comic Sans MS"; this.parentNode.removeChild(this); //[/twitter]

Now I just have to wait until some moron does a little more damage with it than I did, and hopefully Invision Power will learn to make it easier to report security issues.

Yeah, and to solve the issue: Disable the Twitter BBCode until a patch is released.