CVE-2018-17553
Description
An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can achieve remote code execution in Navigate CMS 2.8 via a path traversal and unrestricted file upload in navigate_upload.php.
Vulnerability
An unrestricted file upload with dangerous type vulnerability exists in navigate_upload.php of Naviwebs Navigate CMS 2.8 [1]. The upload handler accepts a POST request with engine=picnik and an id parameter that is not sanitized for directory traversal sequences. By setting id to ../../../navigate_info.php, an authenticated attacker can write a malicious PHP file to an arbitrary location, overwriting an existing PHP file such as navigate_info.php [1][2]. The affected versions are Navigate CMS 2.8 and possibly earlier releases [2].
Exploitation
An attacker must first have a valid authenticated session to Navigate CMS. Using an authentication bypass (CVE-2018-17552) an unauthenticated attacker can obtain a session by sending a crafted cookie value in a POST to /login.php [2]. Once authenticated, the attacker sends a POST request to navigate_upload.php with engine=picnik and id=../../../navigate_info.php. The upload will place the attacker's file (e.g., a PHP web shell) into the Navigate CMS root directory, overwriting the navigate_info.php file [1][2][3]. The attacker can then execute arbitrary PHP code by navigating to the overwritten file [2].
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the web server. This results in full remote code execution (RCE) with the privileges of the web server user, leading to complete compromise of the CMS instance and potential access to the underlying server [2]. The impact includes data theft, modification, or deletion, and the ability to pivot to internal network resources.
Mitigation
The fix was released via the commit 2bdcb8b3c5bb23851a2115db96585f1ac8cb2d1e, which removes the picnik upload case entirely from the codebase [1]. Users should upgrade to a version of Navigate CMS later than the commit date (2018-09-26) or apply the patch manually. There is no known workaround; if the CMS cannot be updated, it should be removed from untrusted networks. The vulnerability is publicly exploited in Metasploit (module 45561) [2], but it is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: latest
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unrestricted file upload with no path sanitization in the `picnik` engine branch of `navigate_upload.php` allows directory traversal via the `id` parameter."
Attack vector
An authenticated attacker sends a POST request to `navigate_upload.php` with `engine=picnik` and an `id` parameter containing directory traversal sequences (e.g., `../../../navigate_info.php`). The script writes the uploaded file content to the attacker-controlled path, overwriting `navigate_info.php` (or another writable PHP file) with arbitrary PHP code. Subsequent access to that file executes the injected code, achieving remote code execution [ref_id=1].
Affected code
The vulnerable code resides in `navigate_upload.php`. The `picnik` engine branch (lines 139-159 of the pre-patch file) accepted a user-supplied `id` parameter and wrote uploaded file data directly to `$targetDir.'/'.$_REQUEST['id']` without sanitizing the path. This allowed directory traversal via a payload such as `id=../../../navigate_info.php` [ref_id=1].
What the fix does
The patch [ref_id=1] removes the entire `picnik` engine code block from `navigate_upload.php`, including the `else if($_REQUEST['engine']=='picnik')` branch that performed the unsanitized file write. The commit message states the code was "unused" and simply deletes it. No path validation or sanitization was added because the vulnerable functionality was eliminated entirely.
Preconditions
- authAttacker must have valid authentication credentials for the Navigate CMS backend.
- configThe target `navigate_info.php` (or another writable PHP file) must be writable by the web server process.
- inputThe `engine=picnik` parameter must be accepted by the server (the vulnerable code path must be present).
Reproduction
1. Authenticate to the Navigate CMS backend. 2. Send a POST request to `navigate_upload.php` with: - `engine=picnik` - `id=../../../navigate_info.php` - A file field named `file` containing PHP payload (e.g., `<?php system($_GET['cmd']); ?>`). 3. Access `navigate_info.php` in the web root with `?cmd=id` to execute commands.
Full PoC available at https://www.exploit-db.com/exploits/45561/.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/45561/mitreexploitx_refsource_EXPLOIT-DB
- github.com/NavigateCMS/Navigate-CMS/commit/2bdcb8b3c5bb23851a2115db96585f1ac8cb2d1emitrex_refsource_CONFIRM
- github.com/rapid7/metasploit-framework/pull/10704mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.