FacturaScripts Path Traversal to Remote Code Execution Vulnerability
An authenticated attacker can exploit a path traversal vulnerability (GHSA-hgjx-r89m-m7v4) in FacturaScripts versions 2025 through 2026.2's file upload functionality to write arbitrary files outside intended directories, leading to remote code execution as the web-server user.
A critical path traversal vulnerability, tracked as GHSA-hgjx-r89m-m7v4, exists in FacturaScripts versions 2025 up to and including 2026.2. The flaw resides in the UploadedFile::move() method, which incorrectly concatenates the destination path with the unsanitized getClientOriginalName() from user-supplied filenames. This allows an authenticated attacker to inject ../ segments into filenames during file uploads, bypassing the intended MyFiles/ directory and writing arbitrary files to any location writable by the web server user. This primitive can be leveraged to achieve remote code execution (RCE) by uploading a specially crafted Apache .htaccess file into directories directly served by Apache (such as Dinamic/Assets/), followed by a PHP payload disguised with a benign extension like .png. The vulnerability affects any user with upload privileges, including non-administrative roles.
Attack Chain
- An authenticated attacker obtains valid credentials or an API token with file upload permissions (e.g., to
/api/3/uploadfilesor/api/3/attachedfiles). - The attacker crafts an HTTP POST request to a vulnerable upload endpoint (e.g.,
/api/3/uploadfiles), submitting a file with a malicious filename containing path traversal sequences, such as../Dinamic/Assets/.htaccess. - The
UploadedFile::move()method in FacturaScripts processes this filename without proper sanitization, concatenating it with the base directory, causing the.htaccessfile to be written into theDinamic/Assets/directory. - The uploaded
.htaccessfile contains a directive likeAddType application/x-httpd-php .png, instructing Apache to parse.pngfiles as PHP scripts within that directory. - The attacker then initiates a second file upload using the same path traversal technique, delivering a file named
../Dinamic/Assets/x.pngcontaining arbitrary PHP code (e.g.,<?php phpinfo(); ?>). - The PHP payload is written to
Dinamic/Assets/x.pngdue to the path traversal vulnerability. - The default Apache configuration for FacturaScripts (from
htaccess-sample) excludesDinamic/Assets/fromindex.phprewrite rules, meaning files in this directory are served directly by Apache. - The attacker accesses
https://target/Dinamic/Assets/x.pngvia a web browser or HTTP request, causing the Apache web server to execute the uploaded PHP code as the web-server user, resulting in remote code execution.
Impact
Successful exploitation of GHSA-hgjx-r89m-m7v4 allows an authenticated attacker to achieve full remote code execution (RCE) as the web-server user. This includes the ability to execute arbitrary commands, steal data, deface the website, or compromise the server hosting FacturaScripts. The attacker can also inject client-side script by overwriting legitimate JavaScript or CSS files within the Dinamic/Assets/ directory, leading to session takeover for administrators or other users on subsequent page loads. The vulnerability affects a wide range of users, as even non-administrative roles often possess the necessary upload permissions.
Recommendation
- Deploy the provided Sigma rules to your SIEM solution to detect attempts to upload malicious
.htaccessor PHP files using path traversal. - Monitor
webserverlogs for HTTP POST requests to/api/3/uploadfiles,/api/3/attachedfiles, or other file upload endpoints that include../sequences in the filename orcs-uri-query. - Patch FacturaScripts to a version greater than 2026.2 immediately upon availability of a fix, as specified in the GitHub Security Advisory GHSA-hgjx-r89m-m7v4.
- Implement strong logging for
webserveractivity, particularly for POST requests and file uploads, to enable detection of the described attack chain. - Ensure server configurations enforce least privilege for the web-server user to minimize potential damage from RCE.
Detection coverage 2
Detects GHSA-hgjx-r89m-m7v4 Exploitation - FacturaScripts .htaccess Upload via Path Traversal
highDetects attempts to upload a `.htaccess` file using path traversal in FacturaScripts' upload endpoints, which is a step towards RCE via GHSA-hgjx-r89m-m7v4.
Detects GHSA-hgjx-r89m-m7v4 Exploitation - FacturaScripts PHP Payload Upload via Path Traversal
highDetects attempts to upload a PHP payload (disguised as .png) using path traversal in FacturaScripts' upload endpoints, as part of the RCE chain for GHSA-hgjx-r89m-m7v4.
Detection queries are available on the platform. Get full rules →