Bludit CMS Faces Critical Security Vulnerabilities: RCE and More, No Patch Available

Recently, cybersecurity researcher Andreas Pfefferle at Redguard has unearthed five critical security vulnerabilities in Bludit, a popular open-source flat-file content management system (CMS) used by countless websites and blogs. Two of these vulnerabilities are particularly severe, allowing remote code execution (RCE), potentially granting attackers full control over affected websites.

Remote Code Execution: A Nightmare Scenario

The two RCE vulnerabilities tracked as CVE-2024-24550 and CVE-2024-24551, stem from improper handling of file uploads within Bludit’s File API and Image API. Attackers armed with knowledge of the API token can exploit these flaws to upload and execute malicious PHP files, effectively compromising the underlying server.

Attackers can leverage them to deface websites, steal sensitive data, distribute malware, or even launch further attacks on other systems. Immediate action is crucial to protect Bludit-powered websites.

Additional Vulnerabilities Compound the Risk

Beyond the RCE flaws, Redguard’s research also exposed three other vulnerabilities:

• Session Fixation (CVE-2024-24552): Attackers can hijack user sessions, impersonating legitimate users and gaining unauthorized access.
• Weak Password Hashing (CVE-2024-24553): Bludit’s use of the outdated SHA-1 hashing algorithm leaves passwords vulnerable to brute-force attacks.
• Insecure Token Generation (CVE-2024-24554): Predictable token generation mechanisms could allow attackers to forge authentication tokens and bypass security measures.

Unanswered Concerns: Bludit’s Silence Raises Red Flags

Alarmingly, despite Redguard’s responsible disclosure efforts initiated in January 2024, the Bludit development team has not yet addressed these vulnerabilities. This lack of response raises serious concerns about the platform’s security posture and leaves countless websites exposed to potential attacks.

What Should Bludit Users Do?

Given the severity of these vulnerabilities and the absence of official patches, Bludit users are strongly advised to take immediate action:

1. Disable the API: If not essential, disabling the API entirely can mitigate the risk of RCE attacks.
2. Implement Temporary Mitigations: Redguard has provided detailed mitigation recommendations in their advisory. Users should apply these measures as a temporary workaround until official patches are available.
3. Monitor for Suspicious Activity: Vigilantly monitor website logs and activities for any signs of compromise.
4. Consider Alternative CMS: If security is paramount, consider migrating to a different CMS with a proven track record of addressing security vulnerabilities promptly.

These vulnerabilities highlight significant security risks for Bludit users. While Andreas Pfefferle has provided proof-of-concept exploit code and proposed mitigations, the Bludit development team has yet to address these issues. Users are urged to implement the suggested countermeasures and monitor for updates from the Bludit team to ensure their installations are secure.