{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/codeigniter/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","codeigniter","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eThe ci4ms application is vulnerable to a Zip Slip attack in its theme upload functionality. This vulnerability, present in versions prior to 0.31.5.0, allows an authenticated backend user with theme creation privileges to upload a specially crafted ZIP archive. Due to the lack of proper validation of entry names during extraction, the attacker can write files to arbitrary locations on the filesystem. This is achieved by including malicious path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) in the ZIP archive\u0026rsquo;s entry names. The vulnerability allows an attacker to place a PHP webshell in the public web root, enabling remote code execution on the server. This issue poses a significant risk to organizations using ci4ms, as it allows attackers to fully compromise the installation and access sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ci4ms backend with an account possessing the theme \u003ccode\u003ecreate\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP webshell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) and an \u003ccode\u003einfo.xml\u003c/code\u003e file for theme validation. The webshell is placed with a path traversal sequence, such as \u003ccode\u003e../../public/shell.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the theme upload functionality within the ci4ms backend, accessible via the \u003ccode\u003ebackend/themes/themesUpload\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive through the web interface, triggering the \u003ccode\u003eTheme::upload\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eZipArchive::extractTo()\u003c/code\u003e function extracts the contents of the ZIP archive to a temporary directory (\u003ccode\u003eWRITEPATH . 'tmp/' . str_replace('_theme.zip', '', $file-\u0026gt;getName()) . '/'\u003c/code\u003e) without validating entry names.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences in the ZIP archive, the PHP webshell is written to the web server\u0026rsquo;s document root (e.g., \u003ccode\u003e/var/www/html/public/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the PHP webshell via a web browser or command-line tool like \u003ccode\u003ecurl\u003c/code\u003e, passing commands to be executed on the server (e.g., \u003ccode\u003ehttps://target.example.com/shell.php?c=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe webserver executes the attacker-supplied command, granting the attacker remote code execution on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Zip Slip vulnerability allows an attacker to gain remote code execution on the ci4ms server. This grants the attacker full control over the server, potentially leading to the exfiltration of sensitive data, including database credentials stored in the \u003ccode\u003e.env\u003c/code\u003e file. The attacker can also modify or delete website content, install malware, or use the compromised server as a launching point for further attacks. This vulnerability affects versions of ci4ms prior to 0.31.5.0, and impacts any installation where an attacker can obtain theme creation privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ci4ms to version 0.31.5.0 or later to patch CVE-2026-41203.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Webshell Upload via Theme Exploit\u003c/code\u003e to detect attempts to upload malicious themes containing webshells.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent path traversal attacks in file upload functionalities.\u003c/li\u003e\n\u003cli\u003eRestrict theme creation privileges to only trusted administrators and monitor theme creation activity for suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-ci4ms-zip-slip/","summary":"A critical vulnerability exists in ci4ms Theme::upload, where improper validation of ZIP archive entry names allows authenticated users with theme creation permissions to write files to arbitrary locations, leading to remote code execution.","title":"CI4MS Theme Upload Zip Slip Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-zip-slip/"}],"language":"en","title":"CraftedSignal Threat Feed — Codeigniter","version":"https://jsonfeed.org/version/1.1"}