# Exploit Title: HtmlCommentBox Multiple Vulnerabilities # Release Date: 01/06/2013 # Author: Rafay Baloch And Deepankar Arora # Website: www.rafayhackingarticles.net # Contact: www.rafayhackingarticles.net # Vendor: www.htmlcommentbox.com # Versions Affected: All # Google Dork: intext:"by HtmlCommentBox" 1. Stored Cross-Site Scripting Vulnerability- Description: The comment input in HtmlCommentBox is not sanitized. Therefore it results in a stored cross-site scripting. POC: Input any of the following as comment- <img src=x onerror=prompt(0); <iframe/onload=prompt(0); <svg/onload=prompt(0); Fix: Better sanitization of the input. References: http://www.rafayhackingarticles.net/2013/05/introducing-evil-in-your-website-with_31.html 2. Reflected Cross-Site Scripting- Description: Implementing HTMLCommentBox makes your website vulnerable to a non persistent cross-site scripting. The vulnerable code is as follows: (which the users use on ther page) (function(){var s=document.createElement("script"),l=(""+window.location || hcb_user.PAGE),h="//www.htmlcommentbox.com";s.setAttribute("type","text/javascript");s.setAttribute("src",h+"/jread?page="+encodeURIComponent(l).replace("+","%2B")+"&opts=16862&num=10");if(typeof s!="undefined")document.getElementsByTagName("head")[0].appendChild(s);})() If we closely look at the window.location portion, we can see that encodeURIComponent allows single quotes. If we just replace window.location with our alert statement, it would triggered under the script context, Hence making the website vulnerable to a XSS attacks. And "/jread?page='-prompt(1)-'&opt=x&num=y" would be reflected under the page context. POC: http://www.htmlcommentbox.com/?'-prompt(1)-' Fix: Better sanitization by restricting special characters. References: http://www.rafayhackingarticles.net/2013/05/introducing-evil-in-your-website-with_31.html