CodeIgniter4 File Extension Validation Bypass Leading to Arbitrary Code Execution
CodeIgniter4's `ext_in` validation rule checks MIME-guessed extensions rather than actual filename extensions, allowing attackers to upload executable files (e.g., PHP shells) that bypass validation. This leads to arbitrary code execution when uploads are stored in web-accessible directories with script execution enabled.
CVE References
Affected
Vulnerability Description:
This is a file upload validation bypass vulnerability in CodeIgniter4's ext_in validation rule. The root cause is a logic error where the framework validates the MIME-type-derived file extension instead of checking the actual client-provided filename extension. An attacker can craft a polyglot file (e.g., a PHP script with GIF magic bytes) that triggers a permissive MIME detection while retaining a dangerous extension like .php. When the ext_in rule evaluates this file, it matches against the MIME-guessed extension (gif) rather than the real extension (.php), allowing bypass of file type restrictions. This is classified as an authentication/authorization bypass at the application validation layer.
Proof-of-Concept Significance:
The PoC demonstrates the vulnerability is trivially reproducible and reliable. The preconditions are common in real applications: user-controlled uploads, reliance on ext_in for validation, preservation of original filenames via $file->move(), and storage in web-accessible directories with executable interpreters enabled. The disclosure proves that the validator function does not perform the intended security check, making this a high-confidence vulnerability affecting applications using default or typical CodeIgniter4 upload patterns.
Detection Guidance:
Defenders should monitor for: (1) CodeIgniter4 applications running versions < 4.7.3; (2) uploaded files with double extensions or mismatches between filename extension and MIME type in access logs; (3) POST requests to upload handlers followed by subsequent requests to writable/uploads/ or similar directories attempting to execute files; (4) PHP or executable files appearing in upload directories despite ext_in restrictions; (5) application logs showing validation passes on suspicious file types. Enable verbose upload logging and file integrity monitoring on upload directories. YARA rules should flag polyglot files (files with magic bytes of one type but dangerous extensions).
Mitigation Steps:
Immediate actions: (1) Patch: Upgrade to CodeIgniter4 v4.7.3 or later immediately; (2) Store outside web root: Move uploads to writable/uploads/ or directories outside the public web root; (3) Randomize filenames: Use $file->store() or $file->move($path, $file->getRandomName()) to avoid using client-supplied filenames; (4) Disable execution: Configure the web server (nginx/Apache) to disable script execution in upload directories using .htaccess or server blocks; (5) Add defensive validation: Implement manual extension verification by comparing $file->getClientExtension() against an allowlist and cross-check with $file->guessExtension(); (6) Review configurations: Audit all upload handlers for the vulnerable pattern.
Risk Assessment: This vulnerability has critical exploitation likelihood in the wild. File upload endpoints are common attack targets, and the bypass is trivial to exploit with publicly available polyglot file generation tools. Threat actors routinely scan for CodeIgniter4 deployments using version detection. The impact is arbitrary code execution with web server privileges, enabling full server compromise, data theft, lateral movement, and malware deployment. Organizations should prioritize patching and implement defense-in-depth controls immediately, as exploit code is likely to be released or is already in private use.
Sources