Bludit Cross-Site Request Forgery Vulnerability in Plugin and Theme Management

A cross-site request forgery (CSRF) vulnerability exists in Bludit version 3.16.1 within the administrative endpoints for uninstalling plugins and installing themes. The application fails to implement anti-CSRF tokens or validate request origins for these actions. This allows an attacker to trick an authenticated administrator into visiting a malicious page that sends unauthorized requests, potentially leading to the removal of plugins or the installation of harmful themes, which could disrupt functionality or compromise system integrity.

Impact

Exploitation of this vulnerability could result in unauthorized uninstallation of plugins or installation of malicious themes, allowing for the execution of untrusted code and potential compromise of system integrity.

Reproduction

To reproduce this vulnerability, create a malicious webpage that includes a form targeting the Bludit admin endpoint for uninstalling plugins or installing themes. The form should be submitted automatically using JavaScript, without the administrator's knowledge. Once the administrator clicks on the link to the malicious page, the crafted request will be sent, resulting in the unauthorized action being performed on their account.

Remediation

To address this vulnerability, Bludit should implement CSRF tokens, apply the 'SameSite' attribute to cookies, and validate the 'Referer' header for the affected endpoints.