CI4MS Post-Installation Route Guard Bypass Vulnerability Allowing Full Application Takeover

A vulnerability in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.4.0, allows for a post-installation route guard bypass. The guard relies on a temporary cache check and the existence of a .env file to block access to the setup wizard. When the database is temporarily unreachable during a cache miss, the guard fails open, enabling an unauthenticated attacker to overwrite the .env file with malicious database credentials. This exploitation leads to a complete takeover of the application.

Impact

Exploitation of this vulnerability during a database outage, coinciding with a cache miss, results in full application takeover. The .env file is overwritten with attacker-controlled database credentials, redirecting all database queries to an attacker-controlled server. This allows for credential theft, arbitrary content injection, phishing, privilege escalation, and invalidation of all existing encrypted data and sessions.

Reproduction

To reproduce this vulnerability, first ensure that the database is temporarily unreachable during a cache miss, when the 'settings' cache has expired or been cleared. Then, access the install route, which should return a 200 status instead of a 404. Once the route is accessible, overwrite the .env file by posting to the install endpoint with the desired database credentials. After the .env file is overwritten, follow the redirect to '/install/dbsetup', which will run migrations on the attacker-controlled database and create an admin account, resulting in full application takeover.

Remediation

Users are advised to update to version 0.31.4.0, where this vulnerability has been fixed.