Compliance Impact

The vulnerability allows revoked users to maintain unauthorized access to the system even after their accounts have been deleted, leading to persistent unauthorized access and privilege escalation.

Such unauthorized access and the resulting audit inconsistencies (actions logged to non-existent entities) could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, user revocation, and accurate audit trails.

Failure to properly invalidate sessions for deleted or disabled users may lead to violations of data protection and security requirements mandated by these regulations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects Bludit CMS versions prior to 3.22.0 and is a Broken Access Control flaw known as a "Ghost Session." It occurs because active user sessions remain valid even after the corresponding user account has been physically deleted from the database.

The issue lies in the isLogged() function, which relies on server-side session state without re-validating the user's status against the database for each request. As a result, once a session is established, the system trusts the session data without checking if the user still exists or is authorized.

This allows revoked or deleted users to maintain full unauthorized access to the system, including performing high-privilege actions such as creating new administrative accounts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including persistent unauthorized access, privilege escalation, and audit inconsistencies.

• Revoked or deleted users can continue to access the system with their active sessions.
• Unauthorized users can perform high-privilege actions such as publishing content and creating new administrator accounts.
• Audit logs may record actions under non-existent user accounts, causing inconsistencies and complicating forensic investigations.

Overall, this flaw compromises confidentiality, integrity, and availability of the system, reflected in its high CVSS score of 8.8.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves active sessions remaining valid even after the corresponding user account has been deleted from the database. Detection involves verifying whether any active sessions belong to users who no longer exist or are disabled in the database.

Since the issue is related to session management in Bludit CMS, you can check the session store or logs for sessions associated with deleted or disabled users.

Specifically, you can:

• Query the database users table to identify deleted or disabled users.
• Check active session data (e.g., PHP session files or session storage) for sessions linked to those users.
• Look for sessions that remain active despite the user being deleted or disabled.

Example commands (assuming access to the database and session files):

• SQL to find disabled or deleted users (depending on schema): SELECT * FROM users WHERE password = '!' OR deleted = 1;
• Check PHP session files for user IDs or usernames matching those users.
• Use application logs to identify actions performed by non-existent users.

No specific commands are provided in the resources, but these general approaches align with the vulnerability's nature.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Bludit CMS to version 3.22.0 or later, which contains the fix for this vulnerability.

The fix ensures that sessions for disabled or deleted users are invalidated by modifying the isLogged() method to verify the user's status against the database on every request.

Additional mitigation steps include:

• Disable or delete user accounts properly and ensure their sessions are terminated.
• Clear remember tokens and regenerate authentication tokens for disabled users to prevent further access.

These steps prevent revoked users from maintaining unauthorized access through 'ghost sessions'.

Useful 0 Not Useful 0