cbcvebase.
CVE-2019-17240
published 2019-10-06

CVE-2019-17240: bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
39.60%
98.4th percentile
bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.

Affected

1 ranges
VendorProductVersion rangeFixed in
bluditbludit

Detection & IOCsextracted from sources · hover to see the quote

versionBludit 3.9.2
pathbl-kernel/security.class.php
path/admin/dashboard
  • Detect brute-force bypass attempts by monitoring for repeated login requests containing spoofed X-Forwarded-For or Client-IP HTTP headers with many different IP values from the same source.
  • Monitor POST requests to the Bludit login endpoint for the presence of a 'tokenCSRF' field alongside 'username' and 'password' fields, combined with rotating X-Forwarded-For or Client-IP header values, as an indicator of automated credential stuffing.
  • Alert on HTTP responses containing 'has been blocked' text being bypassed by subsequent requests with different spoofed IP headers, indicating active exploitation of the brute-force mitigation bypass.
  • Successful exploitation results in a redirect to /admin/dashboard; monitor for 302 Location headers pointing to /admin/dashboard following a series of login attempts with rotating IP headers.
  • ·The brute-force protection in Bludit 3.9.2 trusts client-supplied X-Forwarded-For and Client-IP headers for IP-based blocking, making it trivially bypassable by any attacker who rotates these header values. The vulnerable logic resides in bl-kernel/security.class.php.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.03.7LOWCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.