Improper Authorization in publify/publify

Valid

Reported on

Oct 11th 2021

Description

I found an IDOR in publify But I don't know this is intended or not ?

If we assume that admins or publishers want to upload a media file and don't want to publish it and keep it private until the publish date there is a IDOR vulnerability here.

for example I upload a .gif file and this file don't used in any where of my site :

Here the link:

https://demo-publify.herokuapp.com/files/resource/9/medium_1.gif

any user can see and download this file.

We have contacted a member of the publify team and are waiting to hear back 2 years ago

Matijs van Zuijlen Matijs

commented 2 years ago

Maintainer

No suggestion of privacy is made, I think. However a user who knows nothing about the web may be confused.

amammad

commented 2 years ago

Researcher

can i ask you validate this report?

Matijs van Zuijlen validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Matijs van Zuijlen marked this as fixed with commit 332aba 2 years ago

Matijs van Zuijlen has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the publify team and are waiting to hear back 2 years ago

Matijs van Zuijlen Matijs

commented 2 years ago

Maintainer

No suggestion of privacy is made, I think. However a user who knows nothing about the web may be confused.

amammad

commented 2 years ago

Researcher

can i ask you validate this report?

Matijs van Zuijlen validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Matijs van Zuijlen marked this as fixed with commit 332aba 2 years ago

Matijs van Zuijlen has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation