Coordinated Disclosure Timeline
- 10/19/2020: Report sent to: security@ghost.org
- 10/20/2020: Ghost shares proposed fix
- 01/18/2021: Request status update from maintainers
- 2/11/2021: The fix is released in 3.41.1, and backported to the 2.x branch (2.38.3).
Summary
Ghost may be vulnerable to Open redirect attacks
Product
Tested Version
Latest commit at the date of reporting.
Details
This line redirects to the path name of a redirect URL stored in a query parameter.
If the redirect URL is under the control of an attacker, they can provide a URL whose path name starts with a double slash (or double backslash, slash followed by backslash, etc.). This will then be interpreted as an absolute URL without a protocol, and will redirect to an external site of the attacker’s choosing.
Impact
Open redirect. If the attacker can control the redirect URL, it could be possible to launch a phishing attack where the attacker sends a crafted link to someone with a Ghost blog that looks like it refers to one of their articles. When they click on the link, they’ll be taken to the login screen, enter their credentials, and then are redirected to wherever the attacker would like them to go.
Credit
This issue was discovered and reported by GitHub team member Max Schaefer.
Contact
You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-197 in any communication regarding this issue.