<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CI4MS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/ci4ms/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/ci4ms/feed.xml" rel="self" type="application/rss+xml"/><item><title>CI4MS Unauthenticated .env Overwrite Vulnerability (CVE-2026-39393)</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-takeover/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-takeover/</guid><description>CI4MS versions before 0.31.4.0 are vulnerable to unauthenticated takeover due to a flawed install route guard that allows overwriting the .env file with attacker-controlled database credentials when the database is temporarily unreachable.</description><content:encoded><![CDATA[<p>CI4MS, a CodeIgniter 4-based CMS skeleton, is vulnerable to a critical security flaw (CVE-2026-39393) in versions prior to 0.31.4.0. The vulnerability stems from an insufficient install route guard mechanism. This guard, designed to prevent unauthorized access to the setup wizard after installation, relies on a combination of a volatile cache check (<code>cache('settings')</code>) and the presence of the <code>.env</code> file. When the database becomes temporarily unreachable, leading to a cache miss (either due to TTL expiry or manual cache clearing), the route guard fails open. This failure enables an unauthenticated attacker to access the setup wizard and overwrite the <code>.env</code> file with maliciously crafted database credentials. Successful exploitation leads to complete application takeover. The vulnerability was patched in version 0.31.4.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The target CI4MS instance experiences a database outage or becomes temporarily unreachable.</li>
<li>The <code>cache('settings')</code> check in the install route guard fails due to a cache miss caused by the database outage.</li>
<li>The flawed logic in the route guard incorrectly determines that the application is not yet installed.</li>
<li>An unauthenticated attacker accesses the <code>/install</code> route, bypassing the intended security controls.</li>
<li>The attacker interacts with the setup wizard, providing malicious database credentials.</li>
<li>The application proceeds to overwrite the existing <code>.env</code> file with the attacker-supplied database configuration.</li>
<li>The attacker gains full administrative access to the CI4MS application using the newly configured database credentials.</li>
<li>The attacker can then execute arbitrary code, modify content, and compromise sensitive data within the CI4MS application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-39393 allows an unauthenticated attacker to achieve full application takeover of CI4MS instances running versions prior to 0.31.4.0. This can lead to complete data breaches, website defacement, and potential compromise of the underlying server. The severity is critical due to the ease of exploitation and the potential for widespread damage. The number of affected systems depends on the number of CI4MS installations that have not been upgraded to version 0.31.4.0 or later.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade all CI4MS installations to version 0.31.4.0 or later to patch CVE-2026-39393.</li>
<li>Implement network monitoring for unusual access attempts to the <code>/install</code> route on CI4MS instances.</li>
<li>Deploy the Sigma rule <code>Detect CI4MS Install Route Access</code> to detect unauthorized access attempts to the vulnerable installation route.</li>
<li>Review webserver logs for POST requests to the <code>/install</code> route with parameters suggestive of database configuration changes. Use the Sigma rule <code>Detect CI4MS Env Overwrite</code> as a starting point.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-39393</category><category>CI4MS</category><category>CodeIgniter</category><category>Remote Code Execution</category><category>Unauthenticated Access</category></item><item><title>CI4MS .env File Injection Vulnerability (CVE-2026-39394)</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-env-injection/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-env-injection/</guid><description>CI4MS versions prior to 0.31.4.0 are vulnerable to .env file injection via the Install::index() controller due to insufficient input validation and bypassed CSRF protection, allowing attackers to inject arbitrary configuration directives.</description><content:encoded><![CDATA[<p>CI4MS is a CodeIgniter 4-based CMS skeleton designed to provide a production-ready, modular architecture with features like RBAC authorization and theme support. Versions prior to 0.31.4.0 contain a critical vulnerability (CVE-2026-39394) within the Install::index() controller. This controller reads the 'host' POST parameter without proper validation and passes it directly to the <code>updateEnvSettings()</code> function. This function, in turn, uses <code>preg_replace()</code> to write the value into the .env file. The lack of newline character stripping in the input allows an attacker to inject arbitrary configuration directives. Furthermore, the installation routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when the <code>cache('settings')</code> is empty, such as during initial deployment or after cache expiry. This vulnerability allows unauthenticated attackers to modify the application's configuration, leading to potentially complete system compromise. CI4MS deployments are vulnerable until upgraded to version 0.31.4.0 or later.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends a POST request to the <code>/install</code> route with a malicious 'host' parameter.</li>
<li>The <code>Install::index()</code> controller receives the POST request.</li>
<li>The controller bypasses CSRF protection due to it being explicitly disabled.</li>
<li>The <code>InstallFilter</code> is bypassed because the <code>cache('settings')</code> is empty (e.g., on a fresh deployment).</li>
<li>The 'host' parameter, containing injected configuration directives with newline characters, is passed to the <code>updateEnvSettings()</code> function.</li>
<li>The <code>updateEnvSettings()</code> function uses <code>preg_replace()</code> to write the attacker-controlled 'host' parameter into the .env file without proper sanitization.</li>
<li>The injected configuration directives are written into the .env file, modifying the application's configuration.</li>
<li>The attacker can now leverage the modified configuration for further malicious activities, such as gaining unauthorized access, escalating privileges, or injecting malicious code.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to inject arbitrary configuration directives into the .env file. This can lead to a wide range of consequences, including but not limited to: database credential compromise, modification of application behavior, remote code execution, and complete system takeover. The number of potential victims is dependent on the number of CI4MS deployments running vulnerable versions (pre-0.31.4.0). Targeted sectors are likely to be diverse, reflecting the broad range of applications for which CI4MS is used.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade CI4MS to version 0.31.4.0 or later to patch CVE-2026-39394.</li>
<li>Monitor web server logs for POST requests to the <code>/install</code> route containing newline characters in the 'host' parameter to detect potential exploitation attempts. Implement the provided Sigma rules to detect this activity.</li>
<li>Implement strict input validation on all user-supplied data, especially for parameters that are used to modify configuration files.</li>
<li>Ensure that CSRF protection is enabled and functioning correctly for all sensitive routes, including installation routes.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ci4ms</category><category>codeigniter</category><category>env-injection</category><category>cve-2026-39394</category></item></channel></rss>