CI4MS Zip Slip Vulnerability in Backup Module Leading to Remote Code Execution

A vulnerability in the CI4MS Content Management System, specifically in versions prior to 0.31.5.0, allows authenticated backend users with permission to create backups to exploit the Backup::restore function. This function extracts user-uploaded ZIP files without validating the entry names, creating a Zip Slip vulnerability. As a result, an attacker could write files to arbitrary locations on the filesystem and execute remote code by placing a PHP file in the public web root.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, leading to remote code execution on the server. This could fully compromise the CI4MS installation, including access to the database credentials in the .env file and any content managed by the site.

Reproduction

To reproduce this vulnerability, upload a ZIP file containing a malicious PHP script named with a directory traversal pattern (such as '../../public/shell.php') through the Backup::restore function. The ZIP file will be extracted without entry name validation, allowing the PHP script to be placed in the public directory. Once the file is uploaded, it can be accessed via the web server, and the embedded PHP code will be executed.

Remediation

Users are advised to update to CI4MS version 0.31.5.0 or later, where this vulnerability has been patched.