Improper Access Control in publify/publify
Feb 10th 2022
Article in draft mode can only be accessed by admins who have permission to manage article. Anonymous users can't view but can leave comments on article in draft mode. The cause of the vulnerability is that the draft article is setting to comment enabled and create_comment function only checks for comment enabled/disabled, not whether check for article in draft or public mode.
Proof of Concept
- Step 1: Login demo account in https://demo-publify.herokuapp.com/admin. Create article in draft mode and get the id.
- Step 2: Visit website in anonymous mode, get cookie and CSRF token. Call this request with id of article in draft mode.
- Step 3: In browser of demo account, go to https://demo-publify.herokuapp.com/admin/feedback, you can see comment in unpublish article.
Unpublish article: https://drive.google.com/file/d/17rev6klCS1zdY9zUU7umNjPJrpm8XU62
Create comment: https://drive.google.com/file/d/1iUJSmoqatVxtUdkU_6C_O9UP4Bkfsd9T
Anonymous users can leave comments on articles in draft mode. Attacker can also take advantage of the vulnerability to list the id of articles in draft mode. Run comment spam attack even if the app has disabled comments for all public articles.