Ghost uses the oEmbed API to fetch metadata from external URLs. This API is used to fetch metadata from external URLs, such as images, videos, and other media. The API does not properly validate access to internal resources, allowing an attacker to exploit a Server-Side Request Forgery (SSRF).
Vulnerability
The vulnerability occurs when the /oembed endpoint is consumed, instructing that the type parameter equals 'bookmark'. This will use the function fetchBookmarkData:
This function has a conditional statement in which, if the type is different from the one mentioned, it will use the function processImageFromUrl to process the icon and thumbnail:
This function will use the function fetchImageBuffer to fetch the image buffer from the URL:
asyncprocessImageFromUrl(imageUrl,imageType){// Fetch image buffer from the URLconstimageBuffer = awaitthis.fetchImageBuffer(imageUrl);
This function executes a fetch without verifying the content type or the URL destination, allowing the server to be tricked into obtaining the content of any internal page.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.