CI4MS Zip Slip Vulnerability in Theme Upload Process Allowing Remote Code Execution
Vulnerability
A vulnerability in CI4MS, a CodeIgniter 4-based CMS, prior to version 0.31.5.0, allows authenticated backend users with theme creation permissions to exploit the theme upload feature. The vulnerability arises because the upload process extracts ZIP files without validating entry names, leading to a Zip Slip vulnerability. This flaw enables users to write files to arbitrary locations on the filesystem and execute remote code by placing a PHP file in the public web root. The issue has been patched in version 0.31.5.0.
Impact
Exploitation of this vulnerability allows for arbitrary file writing and remote code execution on the server, compromising the entire CI4MS installation, including access to the database credentials in the .env file and any site content.
Reproduction
To reproduce this vulnerability, upload a ZIP file containing a PHP script disguised as a theme file through the CI4MS theme manager. Ensure that the session has the necessary permissions to create themes. Once uploaded, the PHP script can be executed by accessing it via the web server.
Remediation
Users are advised to update to CI4MS version 0.31.5.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.