CI4MS CodeIgniter CMS Arbitrary Database Table Drop Vulnerability

A vulnerability exists in CI4MS, a CodeIgniter 4-based CMS, in versions 0.31.1.0 prior to 0.31.8.0. The issue arises in the deleteProcess() action, which accepts a POST parameter 'tables[]' containing arbitrary table names. These names are passed directly to the database forge to drop tables, without validating whether the tables belong to the theme being deleted. This flaw allows an authenticated admin to delete any database table, undermining the integrity of the application's data management.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of any database table, including critical tables such as those used for blog management and user authentication, thereby disrupting the application's functionality and data integrity.

Reproduction

To reproduce this vulnerability, authenticate as an admin user with theme deletion permissions. Then, send a POST request to the '/backend/themes/delete-process/' endpoint, including arbitrary table names in the 'tables[]' parameter. The specified tables will be dropped from the database without any validation.

Remediation

Users are advised to upgrade to CI4MS version 0.31.8.0, which addresses this vulnerability by implementing a migration-based whitelist that restricts table deletion to those belonging to the specific theme being managed.