https://feed.craftedsignal.io/products/ci4-cms-erp/ci4ms/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 17:28:39 +0000https://feed.craftedsignal.io/briefs/2024-01-09-ci4ms-zip-slip/Wed, 22 Apr 2026 17:28:39 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-ci4ms-zip-slip/The CI4MS Backup restore function is vulnerable to Zip Slip, allowing remote code execution by uploading a malicious ZIP archive that writes PHP files to the public web root due to missing validation of entry names during extraction, affecting versions prior to 0.31.5.0.A Zip Slip vulnerability exists in the CI4MS backup restore functionality. Authenticated users with backup creation permissions can exploit this by uploading a specially crafted ZIP archive. The vulnerability lies in the Backup::restore function (modules/Backup/Controllers/Backup.php), where the application extracts the uploaded ZIP without proper validation of the entry names. This allows an attacker to write files to arbitrary locations, including the public web root, leading to remote code execution (RCE). This vulnerability affects CI4MS versions prior to 0.31.5.0. By crafting a ZIP file with malicious paths, attackers can bypass intended directory restrictions.

Attack Chain

1. An authenticated user with create role accesses the vulnerable /backend/backup/restore endpoint.
2. The attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with a path traversing outside the intended extraction directory (e.g., ../../public/shell.php).
3. The attacker uploads the malicious ZIP archive via the backup_file parameter in a POST request.
4. The server moves the uploaded ZIP file to WRITEPATH . 'uploads/' without sanitizing or validating the ZIP entry names.
5. The ZipArchive::extractTo() function is called on the uploaded ZIP, extracting the malicious file to the specified path ../../public/shell.php.
6. The PHP file is written to the web root, allowing for remote code execution.
7. The attacker triggers the injected PHP code by sending a request to /shell.php?c=id, executing arbitrary commands on the server.
8. The attacker gains complete control over the compromised server, including access to sensitive data and the ability to further compromise the network.

Impact

Successful exploitation of this vulnerability allows an attacker to achieve remote code execution (RCE) on the CI4MS server. This can lead to full compromise of the installation, including the database credentials stored in .env and any other sensitive data handled by the site. Because the affected route is in the csrfExcept list, this vulnerability can be triggered cross-site against a logged-in administrator, potentially leading to drive-by RCE against site operators. The vulnerability affects versions of composer/ci4-cms-erp/ci4ms prior to 0.31.5.0.

Recommendation

• Upgrade composer/ci4-cms-erp/ci4ms to version 0.31.5.0 or later to patch the vulnerability as described in GHSA-xp9f-pvvc-57p4.
• Implement server-side validation of uploaded ZIP archive entry names to prevent path traversal vulnerabilities. Specifically, validate the file paths extracted from the ZIP archive before calling extractTo().
• Deploy the Sigma rule Detect CI4MS Zip Slip via Web Request to identify potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.
• Enable web server logging and monitor for suspicious file creations, especially in web-accessible directories, after ZIP archive uploads, based on the attack chain described above.

]]>criticaladvisoryzip-sliprcecode-injectionvulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-rce/Tue, 30 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-rce/CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to remote code execution; an authenticated backend user with theme upload permissions can upload a crafted ZIP file containing a PHP file, which is then installed into the web-accessible public directory without filtering, allowing direct execution via HTTP.CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to authenticated remote code execution. The vulnerability lies in the theme upload feature, where any authenticated backend user with theme-upload permissions can upload a crafted ZIP file. PHP files included in the uploaded ZIP are installed into a web-accessible directory without extension or content filtering. This allows attackers to execute arbitrary PHP code on the server by directly accessing the uploaded files via HTTP requests. The vulnerability was reported on April 29, 2026 and can lead to full server compromise if exploited.

Attack Chain

1. An attacker gains valid credentials for a backend user account with theme upload permissions.
2. The attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with code to execute system commands via a GET parameter.
3. The attacker uploads the malicious ZIP file (e.g., evil_theme.zip) through the /backend/themes/upload endpoint using a POST request with multipart/form-data.
4. The application extracts the ZIP archive to a temporary directory.
5. The application copies the PHP file from the temporary directory to the public/templates/evil/ directory using the rename() function, with no file type validation or content inspection.
6. The attacker crafts an HTTP GET request targeting the uploaded PHP file (e.g., /templates/evil/shell.php?c=id).
7. The web server executes the PHP code, running the system command specified in the ‘c’ parameter.
8. The output of the executed command is returned in the HTTP response, granting the attacker remote code execution.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server under the context of the web server user. This can be leveraged to achieve OS-level command execution, potentially leading to data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is vulnerable. While a superadmin already has full privileges, this vulnerability allows lower-privileged roles to escalate their access.

Recommendation

• Apply the necessary patch or upgrade to a version of CI4MS beyond 0.31.6.0 to remediate CVE-2026-41587.
• Monitor web server logs for suspicious HTTP requests targeting newly created directories under /templates/ with PHP file extensions to detect potential exploitation attempts. Create a rule to detect this.
• Implement stricter file upload validation, including file extension allowlists, MIME type checking, and content inspection, to prevent the upload of malicious PHP files.

]]>highadvisorycode-executionweb-applicationphphttps://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-zip-slip/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-zip-slip/A critical vulnerability exists in ci4ms Theme::upload, where improper validation of ZIP archive entry names allows authenticated users with theme creation permissions to write files to arbitrary locations, leading to remote code execution.The ci4ms application is vulnerable to a Zip Slip attack in its theme upload functionality. This vulnerability, present in versions prior to 0.31.5.0, allows an authenticated backend user with theme creation privileges to upload a specially crafted ZIP archive. Due to the lack of proper validation of entry names during extraction, the attacker can write files to arbitrary locations on the filesystem. This is achieved by including malicious path traversal sequences (e.g., ../../) in the ZIP archive’s entry names. The vulnerability allows an attacker to place a PHP webshell in the public web root, enabling remote code execution on the server. This issue poses a significant risk to organizations using ci4ms, as it allows attackers to fully compromise the installation and access sensitive data.

Attack Chain

1. An attacker authenticates to the ci4ms backend with an account possessing the theme create role.
2. The attacker crafts a malicious ZIP archive containing a PHP webshell (e.g., shell.php) and an info.xml file for theme validation. The webshell is placed with a path traversal sequence, such as ../../public/shell.php.
3. The attacker navigates to the theme upload functionality within the ci4ms backend, accessible via the backend/themes/themesUpload route.
4. The attacker uploads the malicious ZIP archive through the web interface, triggering the Theme::upload function.
5. The ZipArchive::extractTo() function extracts the contents of the ZIP archive to a temporary directory (WRITEPATH . 'tmp/' . str_replace('_theme.zip', '', $file->getName()) . '/') without validating entry names.
6. Due to the path traversal sequences in the ZIP archive, the PHP webshell is written to the web server’s document root (e.g., /var/www/html/public/shell.php).
7. The attacker accesses the PHP webshell via a web browser or command-line tool like curl, passing commands to be executed on the server (e.g., https://target.example.com/shell.php?c=id).
8. The webserver executes the attacker-supplied command, granting the attacker remote code execution on the compromised system.

Impact

Successful exploitation of this Zip Slip vulnerability allows an attacker to gain remote code execution on the ci4ms server. This grants the attacker full control over the server, potentially leading to the exfiltration of sensitive data, including database credentials stored in the .env file. The attacker can also modify or delete website content, install malware, or use the compromised server as a launching point for further attacks. This vulnerability affects versions of ci4ms prior to 0.31.5.0, and impacts any installation where an attacker can obtain theme creation privileges.

Recommendation

• Upgrade ci4ms to version 0.31.5.0 or later to patch CVE-2026-41203.
• Deploy the Sigma rule Detect CI4MS Webshell Upload via Theme Exploit to detect attempts to upload malicious themes containing webshells.
• Implement input validation and sanitization measures to prevent path traversal attacks in file upload functionalities.
• Restrict theme creation privileges to only trusted administrators and monitor theme creation activity for suspicious behavior.

]]>criticaladvisoryzip-sliprcecodeignitervulnerability