lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 Jan 2017 14:28:47 -0300
From: Patrick <patrick.costa@...pest.com.br>
To: fulldisclosure@...lists.org
Subject: [FD] Persistent XSS in Ghost 0.11.3

=====[ Tempest Security Intelligence - ADV-9/2017 ]========================
 
  Persistent Cross-Site Scripting (XSS) in Ghost
  -------------------------------------------------------
  Author:
    - Patrick Costa < patrickrbcosta () gmail.com >

    Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]=================================================

  1. Overview
  2. Detailed description   
  3. Affected versions & Solutions   
  4. Timeline of disclosure   
  5. Thanks & Acknowledgements 
  6. References

=====[ Overview ]==========================================================
 
  * System affected : Ghost Blog [1]
  * Version         : 0.11.3 previous versions or models may also be
                      affected. [2]
  * Impact          : This vulnerability allows an attacker to use Ghost's
                      platform to deliver attacks against other users.

=====[ Detailed description ]==============================================

  Ghost version 0.11.3 is vulnerable to persistent cross-site scripting
  (XSS) because it fails to securely handle user data, thus making it
  possible for an attacker to supply crafted input in order to harm third
  party users.
 
  The affected point is the website input field located within the "Your
  profile" page.  In order to reproduce the vulnerability, access the URL
  http(s)://{{ blog URL }}/ghost/team/{{ user slug }}/ and edit the user
  website inserting the following payload:

  {{ valid URL }}/</script><script>alert(1)</script>

  Save changes and visit any post created by this author or the author's
  page at http(s)://{{ blog URL}}/author/{{ user slug }}/.

  It is worth noting that the issue may affect users regardless of
  privilege levels, since the malicious page can be browsed by an admin,
  the owner or a regular visitor.

=====[ Aggravating factors ]===============================================

  The session token of an authenticated user is accessible through
  JavaScript.

=====[ Affected versions & Solutions ]=====================================

  The vulnerability is addressed and the fix is part of the 0.11.4 release.

=====[ Timeline of disclosure ]============================================

  12/27/2016 - Reported vulnerability to security@...st.org.
  01/10/2017 - Ghost team applied patch.
  01/12/2017 - Ghost team answered the email acknowledging the
vulnerability.
  01/18/2017 - Advisory publication date.

=====[ Thanks & Acknowledgements ]=========================================

  - Tempest Security Intelligence [3]
  - Tempest Hammerhead Team

=====[ References ]========================================================

  [1] https://ghost.org/
  [2] https://github.com/TryGhost/Ghost/releases/tag/0.11.3
  [3] http://www.tempest.com.br/


View attachment "Ghost-ADV.txt" of type "text/plain" (2806 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists