Bludit CMS (3.9.2): How to bypass Brute-Force-Protection
Recently I cracked a box that impressed me a lot with a vulnerability in Bludit CMS. Though this box is an easy one, you need some basic knowledge of python programming. Hence, I decided to start my first story with this.
After starting the box, I have run a Nmap scan to find the open ports, which gives me the 80 is open.
When I browse the IP address, I got a standard web page that seems to be a CMS (Content Management System). To explore more I tried with the “whatweb” tool a Linux PT tool which is a Next-generation web scanner that fingerprints the Web technologies like Web Servers, CMS, etc.
“whatweb” has identified that the CMS is powered by Bludit.
Then I crawled the web application to get more information about the version of the CMS used and I found version 3.9.2 in the source of the web page.
Now I’m having the vendor of the CMS and the version. Searching for the vulnerabilities in the Bludit version 3.9.2, I have found a vulnerability CVE-2019–17240 which bypasses the brute-force protection mechanism in version 3.9.2 of the Bludit CMS along with this article: rastating with a Proof of Concept which is exactly we need.
The vulnerability is that the Bludit CMS determines the end-user IP address by trusting the X-Forwarded-For and Client-IP HTTP headers and in the documentation, Bludit has provided how the brute force protection got implemented.
https://docs.bludit.com/en/security/brute-force-protection
Logic implemented for the brute force protection: For each failure login attempt, Bludit CMS adds the IP address of the request origin, to the blacklist array and if there are 10 consecutive failed attempts from the same IP address, the CMS will blocks that blacklisted IP address for 5 minutes.
As per the security best practices, the developers shouldn’t trust the X-Forwarded-For header value in determining the end-users IP Addresses as the attackers can easily bypass it.
The POC in rastating generates a wordlist and then brute-force the application, but here I have created a wordlist using “CeWL” which spiders the given URL and modified the POC to pass the wordlists created.
After running the POC, I got the password of the CMS to login.
