diff --git a/docs/core/tasks.md b/docs/core/tasks.md index 142abb1..f583c39 100644 --- a/docs/core/tasks.md +++ b/docs/core/tasks.md @@ -32,6 +32,29 @@ Quick wins that unlock other work or provide immediate value. --- +### 38. Ghost CMS Security Update — ⚠️ URGENT +**Time:** 15-30 minutes +**Status:** PATCH IMMEDIATELY — 8 days exposed +**Priority:** Tier 0 — Critical Security +**Documentation:** `docs/tasks/ghost-security-update/` + +Ghost CMS at firefrostgaming.com is running v6.16.1, vulnerable to two active CVEs. No workaround exists — must update to 6.19.3. + +**CVEs:** +- CVE-2026-26980 (CVSS 9.4 Critical) — SQL injection in Content API, unauthenticated DB read +- CVE-2026-29784 (CVSS 7.5 High) — CSRF account takeover via session/verify endpoint + +**Key Deliverables:** +- Ghost updated to v6.19.3 on Ghost VPS (64.50.188.14) +- Site verified operational post-update +- Infrastructure manifest updated (Ghost CMS was undocumented) + +**Dependencies:** Requires SSH access to Ghost VPS (64.50.188.14) + +**See task directory for complete update procedure (CLI and Docker paths both documented).** + +--- + ### 1. Centralized Whitelist Manager Web Dashboard — ✅ COMPLETE **Time:** 2-2.5 hours (actual: ~4 hours over 2 sessions) **Status:** ✅ FULLY OPERATIONAL diff --git a/docs/tasks/ghost-security-update/README.md b/docs/tasks/ghost-security-update/README.md new file mode 100644 index 0000000..ce355e6 --- /dev/null +++ b/docs/tasks/ghost-security-update/README.md @@ -0,0 +1,44 @@ +# Ghost CMS Security Update — CVE-2026-26980 + CVE-2026-29784 + +**Status:** URGENT — PATCH IMMEDIATELY +**Owner:** Michael "Frostystyle" Krause +**Priority:** Tier 0 — Critical Security +**Created:** 2026-03-10 +**Created By:** Chronicler #29 + +--- + +## Situation + +Ghost CMS at firefrostgaming.com is running v6.16.1, which is vulnerable to two active CVEs. + +| CVE | Severity | Description | Fixed In | +|-----|----------|-------------|----------| +| CVE-2026-26980 | Critical (CVSS 9.4) | SQL injection in Content API — unauthenticated attackers can read arbitrary data from the database | 6.19.1 | +| CVE-2026-29784 | High (CVSS 7.5) | CSRF flaw on `/session/verify` endpoint — account takeover via phishing | 6.19.3 | + +**No application-level workaround exists for CVE-2026-26980.** Must update. + +**Exposure window:** March 2, 2026 (alert received) — present. Site is public-facing. + +**Target version: 6.19.3** (patches both CVEs) + +--- + +## Quick Links + +- [Deployment Plan](deployment-plan.md) — Step-by-step update procedure +- [Infrastructure Note](infrastructure-note.md) — Ghost CMS added to manifest + +--- + +## Infrastructure Note + +Ghost CMS was not previously documented in the infrastructure manifest. This update task also triggers an infrastructure manifest update to add Ghost CMS as a service on Ghost VPS. + +**Server:** Ghost VPS (64.50.188.14) +**URL:** https://firefrostgaming.com +**Admin:** https://firefrostgaming.com/ghost +**Version (vulnerable):** 6.16.1 +**Database:** MySQL 8 +**Environment:** Production diff --git a/docs/tasks/ghost-security-update/deployment-plan.md b/docs/tasks/ghost-security-update/deployment-plan.md new file mode 100644 index 0000000..1eacfa8 --- /dev/null +++ b/docs/tasks/ghost-security-update/deployment-plan.md @@ -0,0 +1,177 @@ +# Deployment Plan — Ghost CMS Security Update + +**Task:** Ghost CMS Security Update +**Document Type:** deployment-plan +**Status:** ACTIVE +**Last Updated:** 2026-03-10 +**Target Version:** 6.19.3 (patches CVE-2026-26980 + CVE-2026-29784) + +--- + +## Pre-Flight + +SSH into Ghost VPS: + +```bash +ssh root@64.50.188.14 +``` + +Check current Ghost version to confirm: + +```bash +ghost version +``` + +If `ghost` command not found, detect install method: + +```bash +which ghost +``` + +```bash +docker ps | grep ghost +``` + +```bash +find / -name "ghost" -type d 2>/dev/null | grep -v proc | head -10 +``` + +--- + +## Step 1 — Identify Install Method + +**If `ghost version` works → Ghost CLI install. Follow Path A.** + +**If `docker ps` shows a Ghost container → Docker install. Follow Path B.** + +--- + +## Path A: Ghost CLI Update (most likely) + +**Step 1 — Navigate to Ghost directory:** + +```bash +cd /var/www/ghost +``` + +**Step 2 — Run the update:** + +```bash +ghost update 6.19.3 +``` + +**Step 3 — Confirm version:** + +```bash +ghost version +``` + +**Step 4 — Check status:** + +```bash +ghost status +``` + +Expected output: Ghost is running, version 6.19.3 + +--- + +## Path B: Docker Update + +**Step 1 — Find the compose file:** + +```bash +find / -name "docker-compose.yml" 2>/dev/null | xargs grep -l ghost +``` + +**Step 2 — Navigate to it:** + +```bash +cd /path/to/ghost/compose/ +``` + +**Step 3 — Update the image tag in docker-compose.yml:** + +Change: +``` +image: ghost:6.16.1 +``` +To: +``` +image: ghost:6.19.3 +``` + +**Step 4 — Pull and restart:** + +```bash +docker-compose pull +``` + +```bash +docker-compose up -d +``` + +**Step 5 — Confirm:** + +```bash +docker ps | grep ghost +``` + +--- + +## Post-Update Verification + +**Check the admin panel loads:** + +``` +https://firefrostgaming.com/ghost +``` + +**Verify version in admin footer — should read 6.19.3** + +**Check site is serving correctly:** + +``` +https://firefrostgaming.com +``` + +**Check Ghost process is healthy:** + +```bash +ghost status +``` + +--- + +## If Something Goes Wrong + +**Ghost CLI rollback:** + +```bash +ghost update --rollback +``` + +**Check logs:** + +```bash +ghost log +``` + +**Ghost service restart:** + +```bash +ghost restart +``` + +--- + +## Completion Checklist + +- [ ] SSH into Ghost VPS +- [ ] Confirmed current version (6.16.1) +- [ ] Identified install method (CLI or Docker) +- [ ] Updated to 6.19.3 +- [ ] Confirmed version in admin panel footer +- [ ] Site loading correctly post-update +- [ ] Update task status to COMPLETE +- [ ] Update infrastructure manifest with Ghost CMS entry