{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/composer/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","code-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eA Zip Slip vulnerability exists in the CI4MS backup restore functionality. Authenticated users with backup creation permissions can exploit this by uploading a specially crafted ZIP archive. The vulnerability lies in the \u003ccode\u003eBackup::restore\u003c/code\u003e function (modules/Backup/Controllers/Backup.php), where the application extracts the uploaded ZIP without proper validation of the entry names. This allows an attacker to write files to arbitrary locations, including the public web root, leading to remote code execution (RCE). This vulnerability affects CI4MS versions prior to 0.31.5.0. By crafting a ZIP file with malicious paths, attackers can bypass intended directory restrictions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with \u003ccode\u003ecreate\u003c/code\u003e role accesses the vulnerable \u003ccode\u003e/backend/backup/restore\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) with a path traversing outside the intended extraction directory (e.g., \u003ccode\u003e../../public/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive via the \u003ccode\u003ebackup_file\u003c/code\u003e parameter in a POST request.\u003c/li\u003e\n\u003cli\u003eThe server moves the uploaded ZIP file to \u003ccode\u003eWRITEPATH . 'uploads/'\u003c/code\u003e without sanitizing or validating the ZIP entry names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eZipArchive::extractTo()\u003c/code\u003e function is called on the uploaded ZIP, extracting the malicious file to the specified path \u003ccode\u003e../../public/shell.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PHP file is written to the web root, allowing for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the injected PHP code by sending a request to \u003ccode\u003e/shell.php?c=id\u003c/code\u003e, executing arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the compromised server, including access to sensitive data and the ability to further compromise the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve remote code execution (RCE) on the CI4MS server. This can lead to full compromise of the installation, including the database credentials stored in \u003ccode\u003e.env\u003c/code\u003e and any other sensitive data handled by the site. Because the affected route is in the \u003ccode\u003ecsrfExcept\u003c/code\u003e list, this vulnerability can be triggered cross-site against a logged-in administrator, potentially leading to drive-by RCE against site operators. The vulnerability affects versions of \u003ccode\u003ecomposer/ci4-cms-erp/ci4ms\u003c/code\u003e prior to \u003ccode\u003e0.31.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecomposer/ci4-cms-erp/ci4ms\u003c/code\u003e to version 0.31.5.0 or later to patch the vulnerability as described in GHSA-xp9f-pvvc-57p4.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of uploaded ZIP archive entry names to prevent path traversal vulnerabilities. Specifically, validate the file paths extracted from the ZIP archive before calling \u003ccode\u003eextractTo()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Zip Slip via Web Request\u003c/code\u003e to identify potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious file creations, especially in web-accessible directories, after ZIP archive uploads, based on the attack chain described above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:28:39Z","date_published":"2026-04-22T17:28:39Z","id":"/briefs/2024-01-09-ci4ms-zip-slip/","summary":"The CI4MS Backup restore function is vulnerable to Zip Slip, allowing remote code execution by uploading a malicious ZIP archive that writes PHP files to the public web root due to missing validation of entry names during extraction, affecting versions prior to 0.31.5.0.","title":"CI4MS Backup Restore Zip Slip Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-09-ci4ms-zip-slip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["high"],"_cs_tags":["code-execution","web-application","php"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eCI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to authenticated remote code execution. The vulnerability lies in the theme upload feature, where any authenticated backend user with theme-upload permissions can upload a crafted ZIP file. PHP files included in the uploaded ZIP are installed into a web-accessible directory without extension or content filtering. This allows attackers to execute arbitrary PHP code on the server by directly accessing the uploaded files via HTTP requests. The vulnerability was reported on April 29, 2026 and can lead to full server compromise if exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a backend user account with theme upload permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with code to execute system commands via a GET parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP file (e.g., evil_theme.zip) through the /backend/themes/upload endpoint using a POST request with multipart/form-data.\u003c/li\u003e\n\u003cli\u003eThe application extracts the ZIP archive to a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe application copies the PHP file from the temporary directory to the public/templates/evil/ directory using the rename() function, with no file type validation or content inspection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the uploaded PHP file (e.g., /templates/evil/shell.php?c=id).\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code, running the system command specified in the \u0026lsquo;c\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe output of the executed command is returned in the HTTP response, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to execute arbitrary PHP code on the server under the context of the web server user. This can be leveraged to achieve OS-level command execution, potentially leading to data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is vulnerable. While a superadmin already has full privileges, this vulnerability allows lower-privileged roles to escalate their access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patch or upgrade to a version of CI4MS beyond 0.31.6.0 to remediate CVE-2026-41587.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting newly created directories under \u003ccode\u003e/templates/\u003c/code\u003e with PHP file extensions to detect potential exploitation attempts. Create a rule to detect this.\u003c/li\u003e\n\u003cli\u003eImplement stricter file upload validation, including file extension allowlists, MIME type checking, and content inspection, to prevent the upload of malicious PHP files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-ci4ms-rce/","summary":"CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to remote code execution; an authenticated backend user with theme upload permissions can upload a crafted ZIP file containing a PHP file, which is then installed into the web-accessible public directory without filtering, allowing direct execution via HTTP.","title":"CI4MS Authenticated Remote Code Execution via Theme Upload","url":"https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["high"],"_cs_tags":["2fa","bypass","privilege-escalation","admidio"],"_cs_type":"advisory","_cs_vendors":["composer","admidio"],"content_html":"\u003cp\u003eAdmidio, a web-based content management system for organizations, contains a critical vulnerability in its two-factor authentication (2FA) reset mechanism. The vulnerability, present in versions 5.0.8 and earlier, stems from an inverted authorization check within the \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e script. This flaw enables non-administrative users, specifically group leaders with profile edit rights, to disable 2FA for other users, including administrator accounts. The vulnerability was reported on April 29, 2026. By exploiting this flaw, attackers can bypass 2FA, gaining unauthorized access to privileged accounts and potentially compromising the entire Admidio installation. This highlights the importance of rigorous security audits and proper authorization checks in web applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or gains access to a non-admin user account within Admidio that possesses \u003ccode\u003ehasRightEditProfile()\u003c/code\u003e permission over an administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003e/adm_program/modules/profile/two_factor_authentication.php\u003c/code\u003e with the \u003ccode\u003emode\u003c/code\u003e parameter set to \u003ccode\u003ereset\u003c/code\u003e and the \u003ccode\u003euser_uuid\u003c/code\u003e parameter set to the UUID of the target administrator account.\u003c/li\u003e\n\u003cli\u003eThe server-side script \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e executes the flawed authorization check at line 84. Due to the inverted logic (\u003ccode\u003e!==\u003c/code\u003e instead of \u003ccode\u003e===\u003c/code\u003e), the check incorrectly grants permission to the non-admin user to reset the administrator\u0026rsquo;s 2FA.\u003c/li\u003e\n\u003cli\u003eThe server removes the TOTP configuration associated with the administrator\u0026rsquo;s account from the database or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker can now attempt to log in to the administrator account using only the password, bypassing the 2FA requirement.\u003c/li\u003e\n\u003cli\u003eIf the attacker knows or can guess the administrator\u0026rsquo;s password (via credential stuffing, brute force, or other means), they successfully gain access to the account.\u003c/li\u003e\n\u003cli\u003eWith administrator privileges, the attacker can perform a variety of malicious actions, such as creating new accounts, modifying website content, or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows attackers to bypass two-factor authentication on administrator accounts in Admidio installations. This can lead to unauthorized access to sensitive data, modification of website content, and potentially full control over the affected system. While the number of affected installations is unknown, organizations using vulnerable versions of Admidio are at risk. Success of the attack results in complete compromise of the Admidio instance and the data it manages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by changing \u003ccode\u003e!==\u003c/code\u003e to \u003ccode\u003e===\u003c/code\u003e on line 84 of \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e to correct the authorization logic (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Admidio 2FA Reset Request\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring HTTP POST requests to the vulnerable endpoint (see Rules).\u003c/li\u003e\n\u003cli\u003eUpgrade Admidio to a patched version that incorporates the fix for CVE-2026-41660.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-admidio-2fa-bypass/","summary":"A logic error in Admidio's two-factor authentication reset inverts the authorization check, allowing non-admin users to remove other users' TOTP, including administrators, reducing their security to password-only authentication in versions 5.0.8 and earlier.","title":"Admidio Inverted 2FA Reset Allows Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-admidio-2fa-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azuracast (\u003c= 0.23.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","azuracast","webserver"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eAzuraCast, a self-hosted web radio management suite, is susceptible to a critical path traversal vulnerability (CVE-2026-42605) in its Flow.js media upload endpoint (\u003ccode\u003e/api/station/{station_id}/files/upload\u003c/code\u003e). This flaw allows an authenticated user with media management permissions, such as a DJ or station manager, to bypass file storage directory restrictions. By manipulating the \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter during file uploads, attackers can write arbitrary files to locations outside the intended media directory. The vulnerability is present in versions up to and including 0.23.5, and exploitation leads to remote code execution via PHP webshell upload, potentially resulting in full server compromise. The default local filesystem storage backend is required for exploitation; S3 or remote storage is not vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the AzuraCast web interface with a valid user account that has the \u003ccode\u003eStationPermissions::Media\u003c/code\u003e permission (e.g., DJ or Station Manager).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/station/{station_id}/files/upload\u003c/code\u003e endpoint, targeting a station that uses local storage.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../../../var/azuracast/www/public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request also includes a PHP webshell file (\u003ccode\u003eshell.php\u003c/code\u003e) as the \u003ccode\u003efile_data\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server-side code in \u003ccode\u003eFlowUploadAction.php\u003c/code\u003e concatenates the unsanitized \u003ccode\u003ecurrentDirectory\u003c/code\u003e value with the sanitized filename.\u003c/li\u003e\n\u003cli\u003eThe server attempts to process the uploaded file, but the \u003ccode\u003e.php\u003c/code\u003e extension triggers a \u003ccode\u003eCannotProcessMediaException\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efinally\u003c/code\u003e block in \u003ccode\u003eMediaProcessor.php\u003c/code\u003e executes, calling \u003ccode\u003eLocalFilesystem::upload()\u003c/code\u003e to copy the file to the concatenated path, bypassing normal path sanitization due to \u003ccode\u003ePathPrefixer::prefixPath()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe webshell is written to the web root, allowing the attacker to execute arbitrary commands by accessing the webshell via HTTP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the AzuraCast server. This can lead to full server compromise, including reading sensitive configuration files (database credentials, API keys), accessing all station data, modifying application code, and potentially escalating privileges to root. A DJ-level user, the lowest privileged role with media access, can achieve the equivalent of full system administrator access, resulting in data exfiltration and complete control over the AzuraCast instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided patch by sanitizing the \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter in \u003ccode\u003eFlowUploadAction.php\u003c/code\u003e using \u003ccode\u003eUploadedFile::filterClientPath()\u003c/code\u003e to prevent path traversal.\u003c/li\u003e\n\u003cli\u003eImplement path normalization in \u003ccode\u003eLocalFilesystem::upload()\u003c/code\u003e to prevent traversal even after concatenation, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AzuraCast Webshell Upload via Path Traversal\u0026rdquo; to identify exploitation attempts based on suspicious \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to unusual PHP files in the web root directory, such as \u003ccode\u003eshell.php\u003c/code\u003e as described in the PoC.\u003c/li\u003e\n\u003cli\u003eEnsure that AzuraCast instances do not grant excessive permissions to users; minimize the number of accounts with \u003ccode\u003eStationPermissions::Media\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuracast-rce/","summary":"AzuraCast is vulnerable to path traversal in the Flow.js media upload endpoint, allowing authenticated users with media permissions to write arbitrary files, leading to remote code execution via PHP webshell upload.","title":"AzuraCast Path Traversal Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-azuracast-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azuracast","nginx","azuracast/azuracast (\u003c= 0.23.5)"],"_cs_severities":["medium"],"_cs_tags":["account takeover","x-forwarded-host","password reset poisoning"],"_cs_type":"advisory","_cs_vendors":["nginx","composer"],"content_html":"\u003cp\u003eAzuraCast versions 0.23.5 and earlier are vulnerable to an account takeover vulnerability stemming from the unconditional trust of the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e HTTP header. An unauthenticated attacker can exploit this by injecting a malicious hostname into the password reset URL sent to a user. This is achieved by sending a crafted request to the \u003ccode\u003e/forgot\u003c/code\u003e endpoint with the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header set to a domain controlled by the attacker. The victim, upon clicking the poisoned link in the reset email, inadvertently sends their password reset token to the attacker\u0026rsquo;s server. This allows the attacker to reset the victim\u0026rsquo;s password and disable their two-factor authentication, gaining complete control of the account. This vulnerability exists because the \u003ccode\u003eApplyXForwarded\u003c/code\u003e middleware doesn\u0026rsquo;t validate the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header against a trusted proxy allowlist and the application uses the request host for generating security-critical URLs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/forgot\u003c/code\u003e endpoint with the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header set to a malicious domain (e.g., \u003ccode\u003eevil.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe AzuraCast application generates a password reset email containing a poisoned URL with the attacker\u0026rsquo;s domain.\u003c/li\u003e\n\u003cli\u003eThe victim receives the password reset email and clicks on the malicious link, sending a GET request to the attacker\u0026rsquo;s domain, inadvertently leaking the password reset token.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server captures the password reset token from the URL path.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured token to access the password reset page on the legitimate AzuraCast instance.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a CSRF token from the reset page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the password reset endpoint on the real AzuraCast instance, including the CSRF token and a new password.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s password is changed, and their 2FA is disabled, granting the attacker full account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for full account takeover of any user, including administrators, without prior authentication. The attack also bypasses 2FA, negating its security benefits. If an administrator account is compromised, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings. The attack requires the victim to click a link in a legitimate-looking password reset email, increasing the likelihood of success. This can lead to unauthorized access to sensitive data, disruption of service, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement a trusted proxy allowlist in \u003ccode\u003ebackend/src/Middleware/ApplyXForwarded.php\u003c/code\u003e to validate the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header, as described in the provided fix, to prevent hostname injection (Fix 1).\u003c/li\u003e\n\u003cli\u003eModify \u003ccode\u003eForgotPasswordAction.php\u003c/code\u003e to generate the reset URL using the configured \u003ccode\u003ebase_url\u003c/code\u003e setting rather than the request-derived URL to ensure the correct domain is used in the reset email (Fix 2).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious requests to the \u003ccode\u003e/forgot\u003c/code\u003e endpoint with a non-standard \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRemove the line \u003ccode\u003e$user-\u0026gt;two_factor_secret = null;\u003c/code\u003e from \u003ccode\u003eLoginTokenAction.php:75\u003c/code\u003e to prevent 2FA from being disabled during password reset, requiring a separate, explicit flow for 2FA recovery (Fix 3).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuracast-account-takeover/","summary":"AzuraCast is vulnerable to password reset poisoning due to unconditionally trusting the X-Forwarded-Host header, allowing an attacker to inject a malicious host into the password reset URL, exfiltrate the reset token, reset the victim's password, and disable 2FA, leading to account takeover.","title":"AzuraCast Account Takeover via X-Forwarded-Host Poisoning","url":"https://feed.craftedsignal.io/briefs/2024-01-azuracast-account-takeover/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","codeigniter","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eThe ci4ms application is vulnerable to a Zip Slip attack in its theme upload functionality. This vulnerability, present in versions prior to 0.31.5.0, allows an authenticated backend user with theme creation privileges to upload a specially crafted ZIP archive. Due to the lack of proper validation of entry names during extraction, the attacker can write files to arbitrary locations on the filesystem. This is achieved by including malicious path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) in the ZIP archive\u0026rsquo;s entry names. The vulnerability allows an attacker to place a PHP webshell in the public web root, enabling remote code execution on the server. This issue poses a significant risk to organizations using ci4ms, as it allows attackers to fully compromise the installation and access sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ci4ms backend with an account possessing the theme \u003ccode\u003ecreate\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP webshell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) and an \u003ccode\u003einfo.xml\u003c/code\u003e file for theme validation. The webshell is placed with a path traversal sequence, such as \u003ccode\u003e../../public/shell.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the theme upload functionality within the ci4ms backend, accessible via the \u003ccode\u003ebackend/themes/themesUpload\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive through the web interface, triggering the \u003ccode\u003eTheme::upload\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eZipArchive::extractTo()\u003c/code\u003e function extracts the contents of the ZIP archive to a temporary directory (\u003ccode\u003eWRITEPATH . 'tmp/' . str_replace('_theme.zip', '', $file-\u0026gt;getName()) . '/'\u003c/code\u003e) without validating entry names.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences in the ZIP archive, the PHP webshell is written to the web server\u0026rsquo;s document root (e.g., \u003ccode\u003e/var/www/html/public/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the PHP webshell via a web browser or command-line tool like \u003ccode\u003ecurl\u003c/code\u003e, passing commands to be executed on the server (e.g., \u003ccode\u003ehttps://target.example.com/shell.php?c=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe webserver executes the attacker-supplied command, granting the attacker remote code execution on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Zip Slip vulnerability allows an attacker to gain remote code execution on the ci4ms server. This grants the attacker full control over the server, potentially leading to the exfiltration of sensitive data, including database credentials stored in the \u003ccode\u003e.env\u003c/code\u003e file. The attacker can also modify or delete website content, install malware, or use the compromised server as a launching point for further attacks. This vulnerability affects versions of ci4ms prior to 0.31.5.0, and impacts any installation where an attacker can obtain theme creation privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ci4ms to version 0.31.5.0 or later to patch CVE-2026-41203.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Webshell Upload via Theme Exploit\u003c/code\u003e to detect attempts to upload malicious themes containing webshells.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent path traversal attacks in file upload functionalities.\u003c/li\u003e\n\u003cli\u003eRestrict theme creation privileges to only trusted administrators and monitor theme creation activity for suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-ci4ms-zip-slip/","summary":"A critical vulnerability exists in ci4ms Theme::upload, where improper validation of ZIP archive entry names allows authenticated users with theme creation permissions to write files to arbitrary locations, leading to remote code execution.","title":"CI4MS Theme Upload Zip Slip Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-zip-slip/"}],"language":"en","title":"CraftedSignal Threat Feed — Composer","version":"https://jsonfeed.org/version/1.1"}