Code Injection in publify/publify
Feb 11th 2022
The application doesn't check/filter the comments provided by the user before save to database. Attacker can't insert js code to steal admin's data but can insert html code, leads to many information security risks.
Proof of Concept
- Step 1: Go to https://demo-publify.herokuapp.com/2022/02/11/hello-world#comments and comment in anonymous user.
<img src=https://www.technistone.com/color-range/image-slab/Starlight%20Black_SLAB_web.jpg width="2000" height="2000">
- Step 2: Login as demo user, go to https://demo-publify.herokuapp.com/admin/feedback. You can see html code has been rendered successfully.
- PoC: https://drive.google.com/file/d/1RSuq7fsyJPrbNHqlZ9pRW3lgXAvmOrQf
Attacker can insert html code to break the website format, phishing or collect the admin's IP through loading images in img tags.
Matijs van Zuijlen validated this vulnerability a year ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matijs van Zuijlen Matijs
commented a year ago
A fix has been merged and will be released soon.
We have sent a third and final fix follow up to the publify team. This report is now considered stale. a year ago
Matijs van Zuijlen marked this as fixed in 9.2.8 with commit b50df0 10 months ago
This vulnerability will not receive a CVE
to join this conversation