Improper Authorization in publify/publify


Reported on

Oct 11th 2021


I found an IDOR in publify But I don't know this is intended or not ?

If we assume that admins or publishers want to upload a media file and don't want to publish it and keep it private until the publish date there is a IDOR vulnerability here.

for example I upload a .gif file and this file don't used in any where of my site :

Here the link:

any user can see and download this file.

We have contacted a member of the publify team and are waiting to hear back 2 years ago
2 years ago


No suggestion of privacy is made, I think. However a user who knows nothing about the web may be confused.

2 years ago


can i ask you validate this report?

Matijs van Zuijlen validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matijs van Zuijlen marked this as fixed with commit 332aba 2 years ago
Matijs van Zuijlen has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation