CI4MS Remote Code Execution Vulnerability via Unrestricted Theme Upload

A remote code execution vulnerability exists in CI4MS, a CodeIgniter 4-based CMS, in versions 0.26.0.0 prior to 0.31.7.0. The issue arises from a theme upload feature that allows authenticated backend users with theme-upload permission to upload malicious ZIP files. PHP files within these ZIP archives are extracted and placed into the publicly accessible 'public/' directory without any extension or content filtering, making them executable via HTTP. This vulnerability has been patched in version 0.31.7.0.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary PHP code on the server, with the execution context of the web server process. This could lead to a full server compromise.

Reproduction

To reproduce this vulnerability, an authenticated backend user with theme-upload permission can upload a ZIP file containing a PHP payload. The uploaded PHP file will be extracted to a public directory where it can be executed via HTTP. For example, a ZIP file named 'evil_theme.zip' containing a PHP file named 'shell.php' could be used to execute commands on the server.

Remediation

Users can update to CI4MS version 0.31.7.0 or later, where this vulnerability has been fixed.