Skip to content
Threat Feed
critical advisory

FacturaScripts Path Traversal to Remote Code Execution Vulnerability

An authenticated attacker can exploit a path traversal vulnerability (GHSA-hgjx-r89m-m7v4) in FacturaScripts versions 2025 through 2026.2's file upload functionality to write arbitrary files outside intended directories, leading to remote code execution as the web-server user.

A critical path traversal vulnerability, tracked as GHSA-hgjx-r89m-m7v4, exists in FacturaScripts versions 2025 up to and including 2026.2. The flaw resides in the UploadedFile::move() method, which incorrectly concatenates the destination path with the unsanitized getClientOriginalName() from user-supplied filenames. This allows an authenticated attacker to inject ../ segments into filenames during file uploads, bypassing the intended MyFiles/ directory and writing arbitrary files to any location writable by the web server user. This primitive can be leveraged to achieve remote code execution (RCE) by uploading a specially crafted Apache .htaccess file into directories directly served by Apache (such as Dinamic/Assets/), followed by a PHP payload disguised with a benign extension like .png. The vulnerability affects any user with upload privileges, including non-administrative roles.

Attack Chain

  1. An authenticated attacker obtains valid credentials or an API token with file upload permissions (e.g., to /api/3/uploadfiles or /api/3/attachedfiles).
  2. The attacker crafts an HTTP POST request to a vulnerable upload endpoint (e.g., /api/3/uploadfiles), submitting a file with a malicious filename containing path traversal sequences, such as ../Dinamic/Assets/.htaccess.
  3. The UploadedFile::move() method in FacturaScripts processes this filename without proper sanitization, concatenating it with the base directory, causing the .htaccess file to be written into the Dinamic/Assets/ directory.
  4. The uploaded .htaccess file contains a directive like AddType application/x-httpd-php .png, instructing Apache to parse .png files as PHP scripts within that directory.
  5. The attacker then initiates a second file upload using the same path traversal technique, delivering a file named ../Dinamic/Assets/x.png containing arbitrary PHP code (e.g., <?php phpinfo(); ?>).
  6. The PHP payload is written to Dinamic/Assets/x.png due to the path traversal vulnerability.
  7. The default Apache configuration for FacturaScripts (from htaccess-sample) excludes Dinamic/Assets/ from index.php rewrite rules, meaning files in this directory are served directly by Apache.
  8. The attacker accesses https://target/Dinamic/Assets/x.png via a web browser or HTTP request, causing the Apache web server to execute the uploaded PHP code as the web-server user, resulting in remote code execution.

Impact

Successful exploitation of GHSA-hgjx-r89m-m7v4 allows an authenticated attacker to achieve full remote code execution (RCE) as the web-server user. This includes the ability to execute arbitrary commands, steal data, deface the website, or compromise the server hosting FacturaScripts. The attacker can also inject client-side script by overwriting legitimate JavaScript or CSS files within the Dinamic/Assets/ directory, leading to session takeover for administrators or other users on subsequent page loads. The vulnerability affects a wide range of users, as even non-administrative roles often possess the necessary upload permissions.

Recommendation

  • Deploy the provided Sigma rules to your SIEM solution to detect attempts to upload malicious .htaccess or PHP files using path traversal.
  • Monitor webserver logs for HTTP POST requests to /api/3/uploadfiles, /api/3/attachedfiles, or other file upload endpoints that include ../ sequences in the filename or cs-uri-query.
  • Patch FacturaScripts to a version greater than 2026.2 immediately upon availability of a fix, as specified in the GitHub Security Advisory GHSA-hgjx-r89m-m7v4.
  • Implement strong logging for webserver activity, particularly for POST requests and file uploads, to enable detection of the described attack chain.
  • Ensure server configurations enforce least privilege for the web-server user to minimize potential damage from RCE.

Detection coverage 2

Detects GHSA-hgjx-r89m-m7v4 Exploitation - FacturaScripts .htaccess Upload via Path Traversal

high

Detects attempts to upload a `.htaccess` file using path traversal in FacturaScripts' upload endpoints, which is a step towards RCE via GHSA-hgjx-r89m-m7v4.

sigma tactics: initial_access, persistence techniques: T1190, T1546.006 sources: webserver

Detects GHSA-hgjx-r89m-m7v4 Exploitation - FacturaScripts PHP Payload Upload via Path Traversal

high

Detects attempts to upload a PHP payload (disguised as .png) using path traversal in FacturaScripts' upload endpoints, as part of the RCE chain for GHSA-hgjx-r89m-m7v4.

sigma tactics: execution, initial_access techniques: T1059, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →