CodeIgniter4 `ext_in` Upload Validation Bypass Can Lead to Arbitrary Code Execution (GHSA-2gr4-ppc7-7mhx)
critical-cve-against-dependency · active
CodeIgniter4's `ext_in` file-upload validation rule checked the MIME-derived guessed extension instead of the actual client-provided filename extension, allowing a file like `shell.php` containing GIF-like content to pass validation. Apps that save uploads under their original filename in a web-accessible directory could be tricked into storing and executing malicious files. Fixed in v4.7.3.
Affected packages
- packagistcodeigniter4/framework
Sources
- ghsahttps://github.com/advisories/GHSA-2gr4-ppc7-7mhx
- ghsahttps://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-2gr4-ppc7-7mhx
- ghsahttps://github.com/codeigniter4/CodeIgniter4/commit/29299349e7d232e9532767c7cefaed30957309be
- ghsahttps://codeigniter.com/user_guide/libraries/uploaded_files.html#moving-files
- ghsahttps://codeigniter.com/user_guide/libraries/validation.html#rules-for-file-uploads
- ghsahttps://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md