# Exploit Title: HtmlCommentBox Multiple Vulnerabilities
# Release Date: 01/06/2013
# Author: Rafay Baloch And Deepankar Arora
# Website: www.rafayhackingarticles.net
# Contact: www.rafayhackingarticles.net
# Vendor: www.htmlcommentbox.com
# Versions Affected: All
# Google Dork: intext:"by HtmlCommentBox"

1. Stored Cross-Site Scripting Vulnerability-

Description:
The comment input in HtmlCommentBox is not sanitized. Therefore it results
in a stored cross-site scripting.

POC:
Input any of the following as comment-

<img src=x onerror=prompt(0);
<iframe/onload=prompt(0);
<svg/onload=prompt(0);

Fix:
Better sanitization of the input.

References:
http://www.rafayhackingarticles.net/2013/05/introducing-evil-in-your-website-with_31.html

2. Reflected Cross-Site Scripting-

Description:
Implementing HTMLCommentBox makes your website vulnerable to a non
persistent cross-site scripting.

The vulnerable code is as follows: (which the users use on ther page)


(function(){var s=document.createElement("script"),l=(""+window.location ||
hcb_user.PAGE),h="//www.htmlcommentbox.com";s.setAttribute("type","text/javascript");s.setAttribute("src",h+"/jread?page="+encodeURIComponent(l).replace("+","%2B")+"&opts=16862&num=10");if(typeof
s!="undefined")document.getElementsByTagName("head")[0].appendChild(s);})()


If we closely look at the window.location portion, we can see that
encodeURIComponent allows single quotes. If we just replace window.location
with our alert statement, it would triggered under the script context,
Hence making the website vulnerable to a XSS attacks. And
"/jread?page='-prompt(1)-'&opt=x&num=y" would be reflected under the page
context.


POC:
http://www.htmlcommentbox.com/?'-prompt(1)-'

Fix:
Better sanitization by restricting special characters.

References:
http://www.rafayhackingarticles.net/2013/05/introducing-evil-in-your-website-with_31.html