Summary

The files uploaded as evidence are exposed without authentication due to an issue with the Nginx web server configuration present in production environments. The nginx.conf file contains a location entry for /media that maps to Django's media storage.

Impact

Nginx does not enforce authentication, so anyone with network access to the Ghostwriter instance can access any evidence file for which they can determine the name and associated report ID number.

For example, someone who knows or can guess that a report with the ID 338 has an evidence file named 20240125-production-data.png can assemble a URL like this and view the evidence file:

https[:]//ghostwriter.local/media/evidence/338/20240125-production-data.png

Patches

Ghostwriter v4.0.6 resolved this issue by removing /media from the nginx.conf and implementing dedicated views and routes for all media files (e.g., evidence files, user avatars, and report templates). These new views require authentication and apply Ghostwriter's Role-Based Access Controls.

In v4.0.6+, evidence links look like this example URL: https[:]//ghostwriter.local/reporting/evidence/download/889

Reproduction Steps

1. Login as a user with access to a report on Ghostwriter =<v4.0.5.
2. Upload an image as an evidence file to a finding under that report.
3. On the evidence details page, copy the URL of the file by right-clicking the image and clicking Copy Image Link (or similar for the browser used).
4. Logout, open a private browsing window, or use a tool like curl and try to load the copied URL.