Coordinated Disclosure Timeline
- 10/19/2020: Report sent to: firstname.lastname@example.org
- 10/20/2020: Ghost shares proposed fix
- 01/18/2021: Request status update from maintainers
- 2/11/2021: The fix is released in 3.41.1, and backported to the 2.x branch (2.38.3).
Ghost may be vulnerable to Open redirect attacks
Latest commit at the date of reporting.
If the redirect URL is under the control of an attacker, they can provide a URL whose path name starts with a double slash (or double backslash, slash followed by backslash, etc.). This will then be interpreted as an absolute URL without a protocol, and will redirect to an external site of the attacker’s choosing.
Open redirect. If the attacker can control the redirect URL, it could be possible to launch a phishing attack where the attacker sends a crafted link to someone with a Ghost blog that looks like it refers to one of their articles. When they click on the link, they’ll be taken to the login screen, enter their credentials, and then are redirected to wherever the attacker would like them to go.
This issue was discovered and reported by GitHub team member Max Schaefer.
You can contact the GHSL team at
email@example.com, please include
GHSL-2020-197 in any communication regarding this issue.