Metadata Is Not Stripped From Images in publify/publify
Valid
Reported on
May 22nd 2022
- While uploading an image on
https://demo-publify.herokuapp.com/admin/resourcesas alow privileged userthe meta data of the image likegeolocation, device information, version, nameetc is not getting stripped, as a result the attacker can collect all the meta data information of the image by using tools like exif tool, metadata checker etc which is publicly available.
Steps to reproduce:
- Login as demo user
- Go to
https://demo-publify.herokuapp.com/admin/resources - Upload any images on the media library
- Copy the url by clicking on
original sizeor open the image in new tab - go to
http://exif-viewer.comand check the image metadata by pasting the copied link, al the sensitive informations got disclosed publicly
Patch recommendation:
- Remove the meta data from uploaded images
Impact
- This vulnerability impacts all users on publify. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads the images
We are processing your report and will contact the
publify
team within 24 hours.
10 months ago
The researcher's credibility has increased: +7
We have sent a
fix follow up to the
publify
team.
We will try again in 7 days.
7 months ago
We have sent a
second
fix follow up to the
publify
team.
We will try again in 10 days.
7 months ago
We have sent a
third and final
fix follow up to the
publify
team.
This report is now considered stale.
7 months ago
@maintainer can you please make this report public, then only the CVE will be published, thanks
Hey Akshay! We can only do that if you show us that this vulnerability has been fixed and published on GitHub otherwise we have to wait on the maintainer.... We can't violate responsible disclosure
Hey Akshay, sorry for not getting back on this sooner. For some reason I didn't get any notifications from the messages starting 3 months ago. I will be releasing a fix for this in the coming weeks.
to join this conversation