CVE-2018-17139
Description
UltimatePOS 2.5 allows users to upload arbitrary files, which leads to remote command execution by posting to a /products URI with PHP code in a .php file with the image/jpeg content type.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2= 2.5+ 1 more
- (no CPE)range: = 2.5
- (no CPE)range: <=2.5
Patches
Vulnerability mechanics
Root cause
"Missing server-side file extension validation allows an authenticated user to upload a PHP file disguised as a JPEG image."
Attack vector
An authenticated low-privilege user navigates to Products → List Products, edits an existing product (or adds a new one), and uploads a file containing PHP code with a `.jpg` extension and `image/jpeg` content type [ref_id=1]. Using a proxy, the user intercepts the upload request and changes the filename from `.jpg` to `.php` before forwarding it to the server [ref_id=1]. The server stores the file under `/storage/img/` with a numeric prefix, and the attacker can then access the uploaded PHP file directly, passing commands via the `cmd` GET parameter to achieve remote code execution [ref_id=1].
Affected code
The vulnerable code resides in the product image upload functionality accessed via the `/products` URI. The application does not validate the file extension or content type server-side, allowing a user to rename a `.jpg` file to `.php` during upload interception [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation guidance from the vendor. To close this vulnerability, the application must validate uploaded file extensions server-side (rejecting non-image extensions), verify the actual MIME type of the file content, and store uploaded files outside the web root or serve them with a non-executable content-disposition header.
Preconditions
- authAttacker must have a valid low-privilege user account on the UltimatePOS portal
- inputAttacker must be able to intercept and modify HTTP requests (e.g., using a proxy like Burp Suite)
- configThe server must have PHP execution enabled for files stored under the /storage/img/ directory
Reproduction
1. Create a file containing `<?php $cmd=$_GET['cmd']; system($cmd); ?>` and save it with a `.jpg` extension. 2. Log in to UltimatePOS as a low-privilege user. 3. Navigate to Products → List Products (`http://domain/products`). 4. Click Actions on an existing product → Edit (or add a new product). 5. Under Product image, click Browse and select the `.jpg` file containing PHP code. 6. Use a proxy (Burp, Fiddler) to intercept the request. 7. Forward requests until reaching the multipart form-data request containing the product details. 8. Change the filename from `filename.jpg` to `filename.php` in the `Content-Disposition` header, then release the interception. 9. Return to List Products, find the edited product, right-click the product image and select "Copy Image Location". 10. Paste the URL into a browser — it will be similar to `http://domain/storage/img/1533988576_cmd.php`. 11. Verify RCE: `http://domain/storage/img/1533988576_cmd.php?cmd=id` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/45253/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.