CI4MS Remote Code Execution Vulnerability

A remote code execution vulnerability exists in CI4MS, a CodeIgniter 4-based CMS, prior to version 0.28.5.0. An authenticated user with file editor permissions can exploit this vulnerability by uploading and executing arbitrary PHP code on the server. The issue arises from the file creation and save endpoints, which lacked proper validation and allowed the injection of malicious content into files that could be executed via the web server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running in the context of the web server user. This could lead to a complete compromise of the web server, including unauthorized access to the file system and databases, execution of arbitrary operating system commands, and permanent modification or deletion of application data.

Reproduction

To reproduce this vulnerability, log in to an account with file editor permissions. Use the file creation endpoint to upload a PHP file, such as 'exploit.php', to a public directory. Then, inject a PHP payload into the file using the save endpoint. The injected payload can be executed by accessing the file through the web server.

Remediation

Users are advised to update to version 0.28.5.0 or later, where this vulnerability has been patched. Additionally, implement path validation to restrict file operations to non-executable directories, enforce extension whitelisting to allow only safe file types, and sanitize content on the server side to prevent the injection of malicious code. Disabling PHP execution in public upload directories via server configuration can also help mitigate this vulnerability.