JPress UCenter Article Submission Endpoint doWriteSave improper authorization

Vulnerability

JPress versions up to and including 1.0.3 contain an improper authorization vulnerability in the UCenter article submission endpoint at POST /ucenter/article/doWriteSave. The function ArticleUCenterController.doWriteSave() binds an Article object with a user-controlled id parameter. When an existing article ID is supplied, the saveOrUpdate method enters an update path without sufficiently verifying that the current user owns the target article. This affects the file /ucenter/article/doWriteSave [1].

Exploitation

An authenticated low-privileged attacker can send a crafted POST request to /ucenter/article/doWriteSave with an existing article id that belongs to another user. No special network position or additional privileges are required beyond authentication. The attacker must know or be able to enumerate a valid article ID. The request body includes the target article ID and modified content, triggering an update without proper ownership verification [1].

Impact

Successful exploitation allows the attacker to modify or overwrite articles belonging to other users. This results in unauthorized modification of content, leading to an integrity impact on user-generated content. The attacker does not gain code execution or privilege escalation, but can tamper with other users' published articles [1].

Mitigation

As of the available references, the JPress project has not responded to the issue report and no patch has been released. Users should monitor the project repository for an update. The suggested fix is to implement an ownership check in doWriteSave that loads the original article from the database and verifies ownership before allowing updates. Until a fix is available, administrators may consider restricting access to the UCenter endpoint or implementing a web application firewall rule to block requests with article IDs not belonging to the authenticated user [1].