Composer — CraftedSignal Threat Feed

CI4MS Backup Restore Zip Slip Vulnerability Leads to RCE

hello@craftedsignal.io — Wed, 22 Apr 2026 17:28:39 +0000

A Zip Slip vulnerability exists in the CI4MS backup restore functionality. Authenticated users with backup creation permissions can exploit this by uploading a specially crafted ZIP archive. The vulnerability lies in the Backup::restore function (modules/Backup/Controllers/Backup.php), where the application extracts the uploaded ZIP without proper validation of the entry names. This allows an attacker to write files to arbitrary locations, including the public web root, leading to remote code execution (RCE). This vulnerability affects CI4MS versions prior to 0.31.5.0. By crafting a ZIP file with malicious paths, attackers can bypass intended directory restrictions.

Attack Chain

An authenticated user with create role accesses the vulnerable /backend/backup/restore endpoint.
The attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with a path traversing outside the intended extraction directory (e.g., ../../public/shell.php).
The attacker uploads the malicious ZIP archive via the backup_file parameter in a POST request.
The server moves the uploaded ZIP file to WRITEPATH . 'uploads/' without sanitizing or validating the ZIP entry names.
The ZipArchive::extractTo() function is called on the uploaded ZIP, extracting the malicious file to the specified path ../../public/shell.php.
The PHP file is written to the web root, allowing for remote code execution.
The attacker triggers the injected PHP code by sending a request to /shell.php?c=id, executing arbitrary commands on the server.
The attacker gains complete control over the compromised server, including access to sensitive data and the ability to further compromise the network.

Impact

Successful exploitation of this vulnerability allows an attacker to achieve remote code execution (RCE) on the CI4MS server. This can lead to full compromise of the installation, including the database credentials stored in .env and any other sensitive data handled by the site. Because the affected route is in the csrfExcept list, this vulnerability can be triggered cross-site against a logged-in administrator, potentially leading to drive-by RCE against site operators. The vulnerability affects versions of composer/ci4-cms-erp/ci4ms prior to 0.31.5.0.

Recommendation

Upgrade composer/ci4-cms-erp/ci4ms to version 0.31.5.0 or later to patch the vulnerability as described in GHSA-xp9f-pvvc-57p4.
Implement server-side validation of uploaded ZIP archive entry names to prevent path traversal vulnerabilities. Specifically, validate the file paths extracted from the ZIP archive before calling extractTo().
Deploy the Sigma rule Detect CI4MS Zip Slip via Web Request to identify potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.
Enable web server logging and monitor for suspicious file creations, especially in web-accessible directories, after ZIP archive uploads, based on the attack chain described above.

CI4MS Authenticated Remote Code Execution via Theme Upload

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to authenticated remote code execution. The vulnerability lies in the theme upload feature, where any authenticated backend user with theme-upload permissions can upload a crafted ZIP file. PHP files included in the uploaded ZIP are installed into a web-accessible directory without extension or content filtering. This allows attackers to execute arbitrary PHP code on the server by directly accessing the uploaded files via HTTP requests. The vulnerability was reported on April 29, 2026 and can lead to full server compromise if exploited.

Attack Chain

An attacker gains valid credentials for a backend user account with theme upload permissions.
The attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with code to execute system commands via a GET parameter.
The attacker uploads the malicious ZIP file (e.g., evil_theme.zip) through the /backend/themes/upload endpoint using a POST request with multipart/form-data.
The application extracts the ZIP archive to a temporary directory.
The application copies the PHP file from the temporary directory to the public/templates/evil/ directory using the rename() function, with no file type validation or content inspection.
The attacker crafts an HTTP GET request targeting the uploaded PHP file (e.g., /templates/evil/shell.php?c=id).
The web server executes the PHP code, running the system command specified in the ‘c’ parameter.
The output of the executed command is returned in the HTTP response, granting the attacker remote code execution.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server under the context of the web server user. This can be leveraged to achieve OS-level command execution, potentially leading to data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is vulnerable. While a superadmin already has full privileges, this vulnerability allows lower-privileged roles to escalate their access.

Recommendation

Apply the necessary patch or upgrade to a version of CI4MS beyond 0.31.6.0 to remediate CVE-2026-41587.
Monitor web server logs for suspicious HTTP requests targeting newly created directories under /templates/ with PHP file extensions to detect potential exploitation attempts. Create a rule to detect this.
Implement stricter file upload validation, including file extension allowlists, MIME type checking, and content inspection, to prevent the upload of malicious PHP files.

Admidio Inverted 2FA Reset Allows Privilege Escalation

hello@craftedsignal.io — Mon, 22 Jan 2024 12:00:00 +0000

Admidio, a web-based content management system for organizations, contains a critical vulnerability in its two-factor authentication (2FA) reset mechanism. The vulnerability, present in versions 5.0.8 and earlier, stems from an inverted authorization check within the modules/profile/two_factor_authentication.php script. This flaw enables non-administrative users, specifically group leaders with profile edit rights, to disable 2FA for other users, including administrator accounts. The vulnerability was reported on April 29, 2026. By exploiting this flaw, attackers can bypass 2FA, gaining unauthorized access to privileged accounts and potentially compromising the entire Admidio installation. This highlights the importance of rigorous security audits and proper authorization checks in web applications.

Attack Chain

An attacker compromises or gains access to a non-admin user account within Admidio that possesses hasRightEditProfile() permission over an administrator account.
The attacker crafts a POST request to /adm_program/modules/profile/two_factor_authentication.php with the mode parameter set to reset and the user_uuid parameter set to the UUID of the target administrator account.
The server-side script modules/profile/two_factor_authentication.php executes the flawed authorization check at line 84. Due to the inverted logic (!== instead of ===), the check incorrectly grants permission to the non-admin user to reset the administrator’s 2FA.
The server removes the TOTP configuration associated with the administrator’s account from the database or configuration files.
The attacker can now attempt to log in to the administrator account using only the password, bypassing the 2FA requirement.
If the attacker knows or can guess the administrator’s password (via credential stuffing, brute force, or other means), they successfully gain access to the account.
With administrator privileges, the attacker can perform a variety of malicious actions, such as creating new accounts, modifying website content, or accessing sensitive data.

Impact

The vulnerability allows attackers to bypass two-factor authentication on administrator accounts in Admidio installations. This can lead to unauthorized access to sensitive data, modification of website content, and potentially full control over the affected system. While the number of affected installations is unknown, organizations using vulnerable versions of Admidio are at risk. Success of the attack results in complete compromise of the Admidio instance and the data it manages.

Recommendation

Apply the recommended fix by changing !== to === on line 84 of modules/profile/two_factor_authentication.php to correct the authorization logic (see Overview).
Deploy the Sigma rule Detect Admidio 2FA Reset Request to detect attempts to exploit this vulnerability by monitoring HTTP POST requests to the vulnerable endpoint (see Rules).
Upgrade Admidio to a patched version that incorporates the fix for CVE-2026-41660.

AzuraCast Path Traversal Leads to Remote Code Execution

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

AzuraCast, a self-hosted web radio management suite, is susceptible to a critical path traversal vulnerability (CVE-2026-42605) in its Flow.js media upload endpoint (/api/station/{station_id}/files/upload). This flaw allows an authenticated user with media management permissions, such as a DJ or station manager, to bypass file storage directory restrictions. By manipulating the currentDirectory parameter during file uploads, attackers can write arbitrary files to locations outside the intended media directory. The vulnerability is present in versions up to and including 0.23.5, and exploitation leads to remote code execution via PHP webshell upload, potentially resulting in full server compromise. The default local filesystem storage backend is required for exploitation; S3 or remote storage is not vulnerable.

Attack Chain

The attacker authenticates to the AzuraCast web interface with a valid user account that has the StationPermissions::Media permission (e.g., DJ or Station Manager).
The attacker crafts a malicious HTTP POST request to the /api/station/{station_id}/files/upload endpoint, targeting a station that uses local storage.
The request includes a currentDirectory parameter containing path traversal sequences (e.g., ../../../../../var/azuracast/www/public).
The request also includes a PHP webshell file (shell.php) as the file_data parameter.
The server-side code in FlowUploadAction.php concatenates the unsanitized currentDirectory value with the sanitized filename.
The server attempts to process the uploaded file, but the .php extension triggers a CannotProcessMediaException.
The finally block in MediaProcessor.php executes, calling LocalFilesystem::upload() to copy the file to the concatenated path, bypassing normal path sanitization due to PathPrefixer::prefixPath().
The webshell is written to the web root, allowing the attacker to execute arbitrary commands by accessing the webshell via HTTP.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the AzuraCast server. This can lead to full server compromise, including reading sensitive configuration files (database credentials, API keys), accessing all station data, modifying application code, and potentially escalating privileges to root. A DJ-level user, the lowest privileged role with media access, can achieve the equivalent of full system administrator access, resulting in data exfiltration and complete control over the AzuraCast instance.

Recommendation

Apply the vendor-provided patch by sanitizing the currentDirectory parameter in FlowUploadAction.php using UploadedFile::filterClientPath() to prevent path traversal.
Implement path normalization in LocalFilesystem::upload() to prevent traversal even after concatenation, as described in the advisory.
Deploy the Sigma rule “Detect AzuraCast Webshell Upload via Path Traversal” to identify exploitation attempts based on suspicious currentDirectory parameters.
Monitor web server logs for access to unusual PHP files in the web root directory, such as shell.php as described in the PoC.
Ensure that AzuraCast instances do not grant excessive permissions to users; minimize the number of accounts with StationPermissions::Media.

AzuraCast Account Takeover via X-Forwarded-Host Poisoning

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

AzuraCast versions 0.23.5 and earlier are vulnerable to an account takeover vulnerability stemming from the unconditional trust of the X-Forwarded-Host HTTP header. An unauthenticated attacker can exploit this by injecting a malicious hostname into the password reset URL sent to a user. This is achieved by sending a crafted request to the /forgot endpoint with the X-Forwarded-Host header set to a domain controlled by the attacker. The victim, upon clicking the poisoned link in the reset email, inadvertently sends their password reset token to the attacker’s server. This allows the attacker to reset the victim’s password and disable their two-factor authentication, gaining complete control of the account. This vulnerability exists because the ApplyXForwarded middleware doesn’t validate the X-Forwarded-Host header against a trusted proxy allowlist and the application uses the request host for generating security-critical URLs.

Attack Chain

The attacker crafts a POST request to the /forgot endpoint with the X-Forwarded-Host header set to a malicious domain (e.g., evil.com).
The AzuraCast application generates a password reset email containing a poisoned URL with the attacker’s domain.
The victim receives the password reset email and clicks on the malicious link, sending a GET request to the attacker’s domain, inadvertently leaking the password reset token.
The attacker’s server captures the password reset token from the URL path.
The attacker uses the captured token to access the password reset page on the legitimate AzuraCast instance.
The attacker obtains a CSRF token from the reset page.
The attacker crafts a POST request to the password reset endpoint on the real AzuraCast instance, including the CSRF token and a new password.
The victim’s password is changed, and their 2FA is disabled, granting the attacker full account access.

Impact

Successful exploitation of this vulnerability allows for full account takeover of any user, including administrators, without prior authentication. The attack also bypasses 2FA, negating its security benefits. If an administrator account is compromised, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings. The attack requires the victim to click a link in a legitimate-looking password reset email, increasing the likelihood of success. This can lead to unauthorized access to sensitive data, disruption of service, and reputational damage.

Recommendation

Implement a trusted proxy allowlist in backend/src/Middleware/ApplyXForwarded.php to validate the X-Forwarded-Host header, as described in the provided fix, to prevent hostname injection (Fix 1).
Modify ForgotPasswordAction.php to generate the reset URL using the configured base_url setting rather than the request-derived URL to ensure the correct domain is used in the reset email (Fix 2).
Deploy the following Sigma rule to detect suspicious requests to the /forgot endpoint with a non-standard X-Forwarded-Host header to identify potential exploitation attempts.
Remove the line $user->two_factor_secret = null; from LoginTokenAction.php:75 to prevent 2FA from being disabled during password reset, requiring a separate, explicit flow for 2FA recovery (Fix 3).

CI4MS Theme Upload Zip Slip Vulnerability

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The ci4ms application is vulnerable to a Zip Slip attack in its theme upload functionality. This vulnerability, present in versions prior to 0.31.5.0, allows an authenticated backend user with theme creation privileges to upload a specially crafted ZIP archive. Due to the lack of proper validation of entry names during extraction, the attacker can write files to arbitrary locations on the filesystem. This is achieved by including malicious path traversal sequences (e.g., ../../) in the ZIP archive’s entry names. The vulnerability allows an attacker to place a PHP webshell in the public web root, enabling remote code execution on the server. This issue poses a significant risk to organizations using ci4ms, as it allows attackers to fully compromise the installation and access sensitive data.

Attack Chain

An attacker authenticates to the ci4ms backend with an account possessing the theme create role.
The attacker crafts a malicious ZIP archive containing a PHP webshell (e.g., shell.php) and an info.xml file for theme validation. The webshell is placed with a path traversal sequence, such as ../../public/shell.php.
The attacker navigates to the theme upload functionality within the ci4ms backend, accessible via the backend/themes/themesUpload route.
The attacker uploads the malicious ZIP archive through the web interface, triggering the Theme::upload function.
The ZipArchive::extractTo() function extracts the contents of the ZIP archive to a temporary directory (WRITEPATH . 'tmp/' . str_replace('_theme.zip', '', $file->getName()) . '/') without validating entry names.
Due to the path traversal sequences in the ZIP archive, the PHP webshell is written to the web server’s document root (e.g., /var/www/html/public/shell.php).
The attacker accesses the PHP webshell via a web browser or command-line tool like curl, passing commands to be executed on the server (e.g., https://target.example.com/shell.php?c=id).
The webserver executes the attacker-supplied command, granting the attacker remote code execution on the compromised system.

Impact

Successful exploitation of this Zip Slip vulnerability allows an attacker to gain remote code execution on the ci4ms server. This grants the attacker full control over the server, potentially leading to the exfiltration of sensitive data, including database credentials stored in the .env file. The attacker can also modify or delete website content, install malware, or use the compromised server as a launching point for further attacks. This vulnerability affects versions of ci4ms prior to 0.31.5.0, and impacts any installation where an attacker can obtain theme creation privileges.

Recommendation

Upgrade ci4ms to version 0.31.5.0 or later to patch CVE-2026-41203.
Deploy the Sigma rule Detect CI4MS Webshell Upload via Theme Exploit to detect attempts to upload malicious themes containing webshells.
Implement input validation and sanitization measures to prevent path traversal attacks in file upload functionalities.
Restrict theme creation privileges to only trusted administrators and monitor theme creation activity for suspicious behavior.