Use of Cache Containing Sensitive Information in publify/publify

Valid

Reported on

Oct 8th 2021


Description
publify does not use secure Cache-Control headers.

Proof of Concept
1: Login to application
2: click on admin link https://demo-publify.herokuapp.com/admin
3: Logout
4: Press the back button of the opened tab to still see that you can 
view the information .
Impact
This issue is capable of storing sensitive page data in the Browser, 
leading to situations where a physical attacker can press the Browser back button
 to reveal information.

Recommended Fix
Add the Cache-Control header containing 'no-store' and 'no-cache' directives.
Matijs
2 months ago

Maintainer


@0xAmal please fix word wrapping in this report.

@0xAmal
2 months ago

Researcher


Description publify does not use secure Cache-Control headers.

Proof of Concept 1: Login to application 2: click on admin link https://demo-publify.herokuapp.com/admin 3: Logout 4: Press the back button of the opened tab to still see that you can view the information . Impact This issue is capable of storing sensitive page data in the Browser, leading to situations where a physical attacker can press the Browser back button to reveal information.

Recommended Fix Add the Cache-Control header containing 'no-store' and 'no-cache' directives.

@0xAmal
2 months ago

Researcher


is it fine now @ Matijs van Zuijlen

Matijs
2 months ago

Maintainer


Yes, thanks. Are you also able to adjust the original report?

@0xAmal modified their report
2 months ago
@0xAmal
2 months ago

Researcher


@Matijs van Zuijlen done

@0xAmal modified their report
2 months ago
Matijs
2 months ago

Maintainer


@0xAmal why does the report have purple words? It's just text and shouldn't have syntax highlighting. Are you using Markdown code blocks?

Matijs van Zuijlen validated this vulnerability 2 months ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matijs van Zuijlen submitted a
patch
2 months ago
Matijs van Zuijlen confirmed that a fix has been merged on fba66e 2 months ago
Matijs van Zuijlen has been awarded the fix bounty