Bludit Content Management System Ghost Session Vulnerability Allowing Unauthorized Access

A broken access control vulnerability has been identified in Bludit CMS versions prior to 3.22.0. This flaw allows active sessions to remain valid even after the associated user account has been deleted from the database. As a result, revoked users can retain unauthorized access to the system. The vulnerability arises because the application does not re-validate the status of a user account for each request, allowing deleted users to continue performing actions as if they were still active.

Impact

Exploitation of this vulnerability creates 'ghost sessions' for deleted users, particularly those with administrative privileges. Such users can bypass revocation efforts and regain access by creating new administrative accounts, leading to a permanent backdoor in the system.

Reproduction

To reproduce this vulnerability, first create two user accounts with administrative privileges. Afterward, delete these accounts using the 'Delete user and content' option. A check will confirm that the accounts have been removed from the database. Despite this, the accounts can still access the system through their active sessions, allowing them to perform administrative actions, such as creating new user accounts.

Remediation

Users are advised to update to Bludit version 3.22.0 or later, where this vulnerability has been fixed.