CI4MS Deactivated User Session Bypass Vulnerability

A session management vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS, affecting versions 0.26.0 prior to 0.31.8.0. The issue arises because the authentication filter does not properly check the status of deactivated or banned users. When an admin deactivates a user, their session remains active, allowing continued access until the session expires. This vulnerability exists because the 'active' user status check was inadvertently disabled, leaving a gap in session management for deactivated users.

Impact

The vulnerability allows deactivated users to retain active sessions and access rights until their session cookies expire, which by default is 7200 seconds.

Reproduction

To reproduce this vulnerability, log in as a user with a status of 'active'. Once logged in, an admin can deactivate the user by setting the 'active' field to '0'. Despite the deactivation, the user's session cookie will remain valid, and the authentication system will still recognize the user as logged in. This demonstrates the failure to enforce session invalidation for deactivated users.

Remediation

Users are advised to upgrade to CI4MS version 0.31.8.0, which restores proper session management by verifying user account status on every request, ensuring that deactivated users cannot maintain active sessions.