Cross-Site Request Forgery (CSRF) in publify/publify

Valid

Reported on

Oct 9th 2021


Description

An attacker is able to craft an URL with special parameters, what contains the theme switching command. Upon sending the malicious link to a logged-in administrator, the theme is being changed.

Proof of Concept

With an admin user, simply open the following URL (please replace the hostname):

https://<HOSTNAME_HERE>/admin/themes/switchto?theme=bootstrap-2

Within the default installation, there are 2 themes:

  • plain
  • bootstrap-2

Just simply replace the value with the theme name, and the selected will be activated.

Impact

Upon an administrator receives a link containing the change of the site's theme, can lead to bricking the site, because in the case of more complex themes, the mapping might not work properly

We have contacted a member of the publify team and are waiting to hear back a year ago
Matijs van Zuijlen validated this vulnerability a year ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago
Matijs van Zuijlen confirmed that a fix has been merged on b4b740 a year ago
Matijs van Zuijlen has been awarded the fix bounty
themes_controller.rb#L23 has been validated
to join this conversation