Leaking password protected articles content due to improper access control in publify/publify

Valid

Reported on

Apr 10th 2022


Description

Any user who can publish their article can protect it using a password before publishing. So, a valid password to the article is required to view the contents of the article. But when a request is made to article /2022/04/10/<article-title> the UI show it requires a password to view content. But the content of the article is leaked in meta tags of the response.

Proof of Concept

Steps to Reproduce:

  1. Login to app as Admin and create an article and protect it with a password and publish it
  2. Now, login as a demo user and navigate to the newly published article. You can see the UI shows it requires a password to view.
  3. But the content of the article is already leaked in the meta tags of the response body

Impact

Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website. compromising confidentiality and integrity of users.

We are processing your report and will contact the publify team within 24 hours. a month ago
We have contacted a member of the publify team and are waiting to hear back a month ago
We have sent a follow up to the publify team. We will try again in 7 days. a month ago
We have sent a second follow up to the publify team. We will try again in 10 days. a month ago
We have sent a third and final follow up to the publify team. This report is now considered stale. 23 days ago
publify/publify maintainer has acknowledged this report 21 days ago
Matijs van Zuijlen validated this vulnerability 21 days ago

I can reproduce this, thanks!

Mahendra Thanniru has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mahendra
21 days ago

Researcher


Hi Matijs, I've more vulnerability to report and discuss. Can you please share me a contact where I can reach out quickly without this long delay? i really excited to work with you.

We have sent a fix follow up to the publify team. We will try again in 7 days. 18 days ago
We have sent a second fix follow up to the publify team. We will try again in 10 days. 11 days ago
Matijs
10 days ago

Maintainer


Hi Mahendra, this platform is the quickest way to reach me.

Matijs van Zuijlen confirmed that a fix has been merged on 1a78f1 10 days ago
Matijs van Zuijlen has been awarded the fix bounty
to join this conversation