Leaking password protected articles content due to improper access control in publify/publify

Valid

Reported on

Apr 10th 2022

Description

Any user who can publish their article can protect it using a password before publishing. So, a valid password to the article is required to view the contents of the article. But when a request is made to article /2022/04/10/<article-title> the UI show it requires a password to view content. But the content of the article is leaked in meta tags of the response.

Proof of Concept

Steps to Reproduce:

Login to app as Admin and create an article and protect it with a password and publish it
Now, login as a demo user and navigate to the newly published article. You can see the UI shows it requires a password to view.
But the content of the article is already leaked in the meta tags of the response body

Impact

Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website. compromising confidentiality and integrity of users.

We are processing your report and will contact the publify team within 24 hours. a year ago

We have contacted a member of the publify team and are waiting to hear back a year ago

We have sent a follow up to the publify team. We will try again in 7 days. a year ago

We have sent a second follow up to the publify team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the publify team. This report is now considered stale. a year ago

A publify/publify maintainer has acknowledged this report a year ago

Matijs van Zuijlen validated this vulnerability a year ago

I can reproduce this, thanks!

Mahendra Thanniru has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mahendra Thanniru Mahendra

commented a year ago

Researcher

Hi Matijs, I've more vulnerability to report and discuss. Can you please share me a contact where I can reach out quickly without this long delay? i really excited to work with you.

We have sent a fix follow up to the publify team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the publify team. We will try again in 10 days. a year ago

Matijs van Zuijlen Matijs

commented a year ago

Maintainer

Hi Mahendra, this platform is the quickest way to reach me.

Matijs van Zuijlen marked this as fixed in 9.2.8 with commit 1a78f1 a year ago

Matijs van Zuijlen has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the publify team within 24 hours. a year ago

We have contacted a member of the publify team and are waiting to hear back a year ago

We have sent a follow up to the publify team. We will try again in 7 days. a year ago

We have sent a second follow up to the publify team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the publify team. This report is now considered stale. a year ago

A publify/publify maintainer has acknowledged this report a year ago

Matijs van Zuijlen validated this vulnerability a year ago

I can reproduce this, thanks!

Mahendra Thanniru has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mahendra Thanniru Mahendra

commented a year ago

Researcher

Hi Matijs, I've more vulnerability to report and discuss. Can you please share me a contact where I can reach out quickly without this long delay? i really excited to work with you.

We have sent a fix follow up to the publify team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the publify team. We will try again in 10 days. a year ago

Matijs van Zuijlen Matijs

commented a year ago

Maintainer

Hi Mahendra, this platform is the quickest way to reach me.

Matijs van Zuijlen marked this as fixed in 9.2.8 with commit 1a78f1 a year ago

Matijs van Zuijlen has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation