HtmlCommentBox Cross Site Scripting Vulnerability

2013-06-03T00:00:00
ID 1337DAY-ID-20838
Type zdt
Reporter Rafay Baloch
Modified 2013-06-03T00:00:00

Description

HtmlCommentBox suffers from both persistent and reflective cross site scripting vulnerabilities.

                                        
                                            # Exploit Title: HtmlCommentBox Multiple Vulnerabilities
# Release Date: 01/06/2013
# Author: Rafay Baloch And Deepankar Arora
# Website: www.rafayhackingarticles.net
# Contact: www.rafayhackingarticles.net
# Vendor: www.htmlcommentbox.com
# Versions Affected: All
# Google Dork: intext:"by HtmlCommentBox"

1. Stored Cross-Site Scripting Vulnerability-

Description:
The comment input in HtmlCommentBox is not sanitized. Therefore it results
in a stored cross-site scripting.

POC:
Input any of the following as comment-

<img src=x onerror=prompt(0);
<iframe/onload=prompt(0);
<svg/onload=prompt(0);

Fix:
Better sanitization of the input.

References:
http://www.rafayhackingarticles.net/2013/05/introducing-evil-in-your-website-with_31.html

2. Reflected Cross-Site Scripting-

Description:
Implementing HTMLCommentBox makes your website vulnerable to a non
persistent cross-site scripting.

The vulnerable code is as follows: (which the users use on ther page)


(function(){var s=document.createElement("script"),l=(""+window.location ||
hcb_user.PAGE),h="//www.htmlcommentbox.com";s.setAttribute("type","text/javascript");s.setAttribute("src",h+"/jread?page="+encodeURIComponent(l).replace("+","%2B")+"&opts=16862&num=10");if(typeof
s!="undefined")document.getElementsByTagName("head")[0].appendChild(s);})()


If we closely look at the window.location portion, we can see that
encodeURIComponent allows single quotes. If we just replace window.location
with our alert statement, it would triggered under the script context,
Hence making the website vulnerable to a XSS attacks. And
"/jread?page='-prompt(1)-'&opt=x&num=y" would be reflected under the page
context.


POC:
http://www.htmlcommentbox.com/?'-prompt(1)-'

Fix:
Better sanitization by restricting special characters.

References:
http://www.rafayhackingarticles.net/2013/05/introducing-evil-in-your-website-with_31.html

#  0day.today [2018-01-03]  #