MyBB 1.6.12 POST XSS 0day

This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.

alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload

MyBB throws out a SQL error:

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE 'moved|%'
AND (  LOWER(t.subject) LIKE '%&lt;foo&gt; &lt;h1&gt; &lt;script&gt; alert (bar) () ; //%'  LOWER(t.subject)
LIKE '%&gt; &lt; prompt \x41 \%42 constructor onload%')


My Joomla XSS 0days

Last October 2013 I found some XSS vulnerabilities in Joomla! 3.1.2. Anyhow the affected versions were Joomla! version 2.5.14 and earlier 2.5.x versions and version 3.1.5 and earlier 3.0.x
versions. Actually all these XSS vulnerabilities existed on fields where we can insert links starting with http://. I first did a simple fuzz to test the output.

<foo> </bar> '" > <> ; () //

What I noticed was that it does filter out tags but still we can take advantage of these non-filtered characters. Of course we can use event handlers in JavaScript to trigger XSS.

‘; ()//"


Persistent XSS in com_contact

To reproduce this issue follow these steps.