Lack of Frame Protections and Origin Checking Leads to Ghost Admin XSS
Original Post:
We discussed this vulnerability during Episode 79 on 06 September 2021
Ghost 4.0.0 added a theme preview feature to the admin panel’s front-end. The preview page contains a message event listener for postMessage()
, which will take any messages and directly write that message into the page contents. There’s no verification on the origin of the message, nor are there any frame options set or frame-ancestors
set in the CSP.
As the page can be framed by any attacker controller page, and write any Javascript to be executed this provides an easy XSS vector to perform any action as a logged in admin.
Patch The patch here was to remove that code all together, though the blogpost authors point out that to properly fix this, the origin just needed to be checked.