skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
February 12, 2021

GHSL-2020-197: Open redirect vulnerability in Ghost

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

Ghost may be vulnerable to Open redirect attacks

Product

Ghost

Tested Version

Latest commit at the date of reporting.

Details

This line redirects to the path name of a redirect URL stored in a query parameter.

If the redirect URL is under the control of an attacker, they can provide a URL whose path name starts with a double slash (or double backslash, slash followed by backslash, etc.). This will then be interpreted as an absolute URL without a protocol, and will redirect to an external site of the attacker’s choosing.

Impact

Open redirect. If the attacker can control the redirect URL, it could be possible to launch a phishing attack where the attacker sends a crafted link to someone with a Ghost blog that looks like it refers to one of their articles. When they click on the link, they’ll be taken to the login screen, enter their credentials, and then are redirected to wherever the attacker would like them to go.

Credit

This issue was discovered and reported by GitHub team member Max Schaefer.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-197 in any communication regarding this issue.