SSD Advisory – Ghost CMS Multiple Vulnerabilities

Vulnerabilities Description
The following report describes four (4) different vulnerabilities found in Ghost CMS software, used in hundred of thousands of blog around the world. The vulnerabilities allows the attacker to disrupt the service and change the content of the blog.
Moreover is also possible to perform some kind of DoS ( Denial of Service ) attack if some condition are met.
The vulnerabilities are the following:

  • Change author of a blog entry ( this bypass a previous fix deployed in Ghost 0.5.9 )
  • Change PWD of an user without knowing the previous one ( the attacker must be logged as the user )
  • Disk exhaust is possible with any account


Identity Spoofing
This vulnerability allows an attacker to perform an identity spoofing of any other users. The attacker must have any account, if so, he can publish a blog’s entry with the name of any other accounts ( Owner and Admin included ). This was possible before version 0.5.9 and then it was supposed to be fixed. A bypass is here provided:
The fix was the following: https://github.com/TryGhost/Ghost/commit/0e80d77
core_server_models_post_js
As you can see the check is made only during the creation on the blog’s entry. It is not made, instead, during the update of a entry.
The attacker just need to create a blog’s entry, publish it and then update it spoofing the target ID.
Technical Details
The following request shows the process:
request_response
And this is the result on the blog:
this_is_a_author_post
Authentication bypass
This vulnerability allows an attacker to change the password of a user if he can get ( temporary ) access to the victim account.
Let’s suppose the attacker can hijack the victim session, he can now change the victim password, without knowing the previous one, in order to maintaining. The problem here is because during the update of the account information Ghost will overwrite all the field it finds on the requests which have the same name of the ones stored in the database, so we can inject a new field in the request named “password” which have the same name of the password field in the database and then Ghost CMS will overwrite it.
Technical Details
This request shows the process:
this_is_the_updated_database
DoS Disk Exhausting
This vulnerability allows an attacker to exhaust the disk of the server hosting the Ghost software.
This is possible because when an authenticated ( at any level of authentication ) user try to upload a whitelisted file ( a file not blacklisted by Ghost ), the file will be uploaded and the old version won’t be deleted, even if the file has the same name as the old one.
Finally it is important to notice, that the content of the file is not checked but only the extension. This means that an attacker can create a garbage file with .PNG/.JPG extension and upload it.
Technical Details
These requests show the process:
dos_screenshot_1
dos_screenshot_2
dos_screenshot_3
The server stores all the fake images:
dos_screenshot_result
Vendor Response

Hi,
thank you again for sharing the security report with us. We have fixed the following vulnerabilities:
Change author of a blog entry (https://github.com/TryGhost/Ghost/pull/5875)
Change PWD of an user without knowing the previous one (https://github.com/TryGhost/Ghost/pull/5867)
with the release of Ghost 0.7.1.
The problem of exhausting disk space is outside the scope of Ghost and won’t be addressed within the app for now. Disk space can be handled with quotas or file space monitoring within the operating system.
Thank you,
Sebastian