In-depth analysis of CVE: PodcastGenerator 3.2.9—Blind SSRF via XML Injection.

Application: Podcast Generator

Vulnerable Version: v3.2.9

Vulnerable version link: https://github.com/PodcastGenerator/PodcastGenerator/releases

Vulnerability Description:

Podcast Generator (PG) is an open-source content management system written in PHP, specifically designed for podcast publishing. It provides users with tools to easily manage all aspects of podcast publication, from uploading episodes to submitting them to the Podcast Index and iTunes store.

In this write-up, we'll explore a Blind Server-Side Request Forgery (SSRF) via XML injection attack in depth, including a practical understanding of the source code and payload.

Lab Setup:

Download the vulnerable application from the provided link. We'll use a localhost XAMPP server for this demonstration.

Download the XAMPP server: https://www.apachefriends.org/download.html

1. Set up the Apache and MySQL servers using XAMPP.
   
   
   
   
   
2. Unzip the downloaded Podcast Generator file to the server location:
   "C:\xampp\htdocs\<project name>".
   
   
   
   
   
3. Open your web browser and navigate to the URL where you uploaded the Podcast Generator files (e.g., http://localhost:8080/PodcastGenerator).
   
   
   
   
   

Source Code Analysis:

After logging into the application, you'll notice a feature called "Upload New Episode".

When adding a new episode, the application creates an XML file to store the data instead of using a database.

Since the application uses an XML file for data storage, we can attempt an XML entity injection attack. Further analysis reveals that the application lacks input validation on its parameters.

In the episodes_upload.php file, the $_POST['shortdesc'] function accesses data sent via an HTTP POST request from an HTML form, specifically the input named shortdesc (short description).

The strlen() PHP function calculates the string length, checking if the short description exceeds 255 characters. However, the $_POST['shortdesc'] input is passed directly into the strlen() function without sanitization or validation, potentially exposing the application to cross-site scripting or injection attacks.

Due to this lack of validation, we can perform an XML entity injection attack and escalate it to a blind SSRF attack. But first, let's understand what blind SSRF and XML entity injection attacks are.

Blind SSRF:

Blind SSRF vulnerabilities occur when an application makes a request to a back-end server, but the server's response isn't shown on the front-end.

To detect a Blind SSRF attack, we can trigger an HTTP request to an external system under our control and monitor for network interactions, such as using Burp Suite Collaborator.

XML Injection:

XML entity injection, also known as XML External Entity (XXE) attack, involves an attacker interacting with the server using XML data.

Some applications use XML format to exchange data between server and browser.

Using an XML injection attack, an attacker can perform various actions, such as retrieving sensitive files or conducting an SSRF attack via XXE.

Exploiting Blind SSRF:

As the application creates an XML file to store data, we can exploit this vulnerability by injecting an XML payload.

Payload:

test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test

When adding normal data, the application stores the short description input value in the <![CDATA[]]> section.

Note that the "testing" data is added to the CDATA section, and to balance the query, we must add the mentioned payload.

The image below shows the difference between adding normal data and the payload, demonstrating how to balance the payload to exploit the blind SSRF attack.

Payload Breakdown:

test]]></shortdescPG><imgPG path=""><http://localhost:3132></imgPG><shortdescPG><![CDATA[test

The <shortdescPG> tag uses CDATA, which likely just stores text and doesn't directly contribute to the SSRF.

The key part of the payload is the URL http://localhost:3132 inside the <imgPG> tag. If the application processes this payload by taking the content between the <imgPG> tags and performs a server-side request (e.g., to fetch an image or resource), an attacker can exploit this by sending the server to a location under their control (such as localhost, internal services, or external servers).

The URL http://localhost:2222 suggests the attacker is attempting to force the server to make a request to a local service on port 2222.

Exploitation Part:

Step 1. Log into the application using the URL:
http://localhost:8080/PodcastGenerator/admin/

Step 2. Navigate to "Upload New Episodes" under "Episodes".

Step 3. Add the following payload to the short description parameter, with the listener on port 2222, then click save:

payload:

test]]></shortdescPG><imgPG path=""><http://localhost:2222></imgPG><shortdescPG><![CDATA[test

Listen on the port using Netcat (NC) on port 2222

Step 4. Open the submitted podcast data and observe the response from the server.

WOOT!, We have successfully received the hit back from the server.

Mitigation Part: 

• Implement strict input validation and sanitization mechanisms to ensure that XML input from untrusted sources does not contain malicious content, including external entities.
• Always utilize a strong database so that the input is validated from both the server and the client sides.
• Ensure that all systems and applications are updated with the latest security patches offered by the vendor.

Hope you understand the blind SSRF via XML injection in depth.

Comments and suggestions are welcome.

LinkedIn: https://www.linkedin.com/in/sudeeplamsoge/
Twitter : https://x.com/SudeepLamsoge