Improper Authorization in publify/publify

Valid

Reported on

Oct 11th 2021


Description

I found an IDOR in publify But I don't know this is intended or not ?

If we assume that admins or publishers want to upload a media file and don't want to publish it and keep it private until the publish date there is a IDOR vulnerability here.

for example I upload a .gif file and this file don't used in any where of my site :

Here the link:

https://demo-publify.herokuapp.com/files/resource/9/medium_1.gif

any user can see and download this file.

We have contacted a member of the publify team and are waiting to hear back 2 months ago
Matijs
2 months ago

Maintainer


No suggestion of privacy is made, I think. However a user who knows nothing about the web may be confused.

amammad
2 months ago

Researcher


can i ask you validate this report?

Matijs van Zuijlen validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matijs van Zuijlen confirmed that a fix has been merged on 332aba a month ago
Matijs van Zuijlen has been awarded the fix bounty