We have a self-hosted Ghost instance (running really well, I like it, thx!) and today I got 45 emails from the Ghost engine, saying that the Zapier integration failed. We don’t have any Zapier integrations set up.
Because of the URL-s the calls tried to reach, I think someone tried to attack the site authentication. (Failed request URL: /resources/ghost/api/canary/admin/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd)
Have you ever experienced something similar? Is there a way to close the Zapier port/connection?
Thanks for forwarding. I was mistaken, these emails are being sent from Ghost; I’d searched our codebase but didn’t find the related code because it was removed a couple of months ago because the notifications were mostly useless/incorrect.
Looking at the old code, it has a bug where a request to an old versioned Admin API endpoint with no query param and no auth header would trigger the version-mismatch email for the first API key in the database which would always be the Zapier key.
In short, these requests are just the typical type of security-probing requests that every site on the public internet receives constantly. Aside from the incorrectly sent email the request is harmless and just gets a 404 response. Nothing to worry about, and if you upgrade to recent version of Ghost the notifications will go away.
