NinkoBB 1.3RC5 Stored Cross Site Scripting

`# Exploit Title: NinkoBB 1.3RC5 stored XSS in Topic Subject field  
# Date: 26-1-2011  
# Author: Saif El-Sherei  
# Software Link: http://ninkobb.com/wiki/releases  
# Version: NinkoBB 1.3RC5  
# Tested on: Firefox 3.0.15, , IE 8  
# Vendor Notified: 26-1-2011, awaiting vendor response.  
# Google Dork: "Powered By NinkoBB"-->around 1,720 target  
  
Info:  
  
NinkoBB is an open source forum script written in the PHP language and uses  
a MySQL Database. NinkoBB is designed to be as simple as possible and  
provide you with the key features that you need, all the while keeping the  
space used on your server to a minimum. Built to be simple, small, and easy  
to use with a user friendly install for a quick setup, painless upgrade  
system, and easy to use admin panel for managing your forum. And includes  
support for categories, plugins, languages, and themes.  
  
Details:  
  
User can execute arbitrary JavaScript code within the vulnerable  
application.  
  
when adding a new topic the subject field is not properly sanitized in the  
message.php, an attacker could exploit this Bug to perform a Stored XSS  
attack; affecting anywhere in the application where the subject field will  
be displayed; for example in the:  
  
Homepage displaying the latest topics:  
  
http://evildomain.com/ninkobb/  
  
the Category page where the topic is posted:  
  
http://evildomain.com/ninkobb/?category=2  
  
Notes:  
  
the subject field in NinkoBb default installation has 32 characters length;  
but this could be changed in the administration control panel thus the  
attack POC would differ depending on the length limit.  
  
POC:  
  
<script>alert('XSS');</script>  
  
Regards,  
  
Saif El-Sherei  
  
OSCP  
`