SourceCodester Simple POS and Inventory System File Extension addproduct.php unrestricted upload
Description
A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unrestricted file upload in SourceCodester Simple POS and Inventory System 1.0 allows remote attackers to upload a PHP webshell and execute arbitrary commands.
Vulnerability
A flaw exists in the file upload functionality of SourceCodester Simple POS and Inventory System version 1.0. The endpoint /admin/addproduct.php accepts an image parameter and only validates the file extension against a whitelist (jpg or png). The validation can be bypassed using double extensions (e.g., shell.php.jpg) or uppercase extensions, allowing arbitrary file uploads. The uploaded file is stored in the web-accessible /upload/ directory. This vulnerability is detailed in the published exploit [1].
Exploitation
An attacker can send a crafted POST request to /admin/addproduct.php with a malicious PHP file (e.g., a webshell) as the image parameter. The application's weak extension check permits the upload. No authentication is required, and the attack can be performed remotely over HTTP. The uploaded file is accessible via the /upload/ directory, enabling direct execution of PHP code.
Impact
Successful exploitation allows an attacker to achieve remote code execution (RCE) on the server. By uploading a PHP webshell, the attacker can execute arbitrary system commands, read or modify files, and potentially compromise the entire application and underlying server. The impact is critical, as the attacker gains full control over the web application context.
Mitigation
As of the publication date, no official patch has been released for version 1.0. The vendor has not addressed the vulnerability [1]. Until a fix is available, administrators should implement strict file type validation (e.g., MIME type checking), rename uploaded files to remove executable extensions, and restrict the /upload/ directory from executing PHP code (e.g., via .htaccess or web server configuration). The vulnerability is unpatched and publicly exploited.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application only validates the file extension string against a short allowlist, which can be bypassed using double extensions or uppercase extensions, and then moves the uploaded file to a web-accessible directory without further checks."
Attack vector
An attacker sends a POST request to `/admin/addproduct.php` with a crafted `image` file that has a double extension (e.g., `shell.php.jpg`) or an uppercase extension (e.g., `shell.PHP`). The extension check passes because the final extension matches `"jpg"` or `"png"`, but the file is saved with its original name and can be executed as a PHP webshell from the web-accessible `/upload/` directory [ref_id=1]. The same request can also carry SQL injection payloads in the `name` parameter to extract database contents [ref_id=1].
Affected code
The vulnerable endpoint is `/admin/addproduct.php`, which handles POST parameters `name`, `category`, `price`, `supplier`, `qty`, and `image`. The file upload logic only checks that the file extension equals `"jpg"` or `"png"` before moving the uploaded file to the `../upload/` directory [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory recommends replacing raw SQL queries with prepared statements, validating file MIME types using `finfo_file()` instead of relying solely on extension checks, randomizing uploaded filenames, disabling PHP execution in the upload directory, and storing uploads outside the web root [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the /admin/addproduct.php endpoint (no authentication bypass is described, but the advisory does not specify required privileges)
- inputThe attacker must craft a file with a double extension or uppercase extension that passes the jpg/png extension check
Reproduction
Send a POST request to `/admin/addproduct.php` with a file containing PHP code (e.g., `system($_GET['cmd']);`) saved with a name like `shell.php.jpg`. Set the `image` form field to this file and include valid values for `name`, `category`, `price`, `supplier`, and `qty`. The file will be saved to `../upload/shell.php.jpg` and can be accessed to execute arbitrary commands [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/c4ttr4ck/dd5c36ac4317232be183b7b90139d064mitreexploit
- vuldb.com/submit/813612mitrethird-party-advisory
- vuldb.com/vuln/365426mitrevdb-entrytechnical-description
- vuldb.com/vuln/365426/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.