<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FacturaScripts (&gt;= 2025, &lt;= 2026.2) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/facturascripts--2025--2026.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 20:54:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/facturascripts--2025--2026.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>FacturaScripts Path Traversal to Remote Code Execution Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-facturascripts-path-traversal-rce/</link><pubDate>Tue, 14 Jul 2026 20:54:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-facturascripts-path-traversal-rce/</guid><description>An authenticated attacker can exploit a path traversal vulnerability (GHSA-hgjx-r89m-m7v4) in FacturaScripts versions 2025 through 2026.2's file upload functionality to write arbitrary files outside intended directories, leading to remote code execution as the web-server user.</description><content:encoded><![CDATA[<p>A critical path traversal vulnerability, tracked as GHSA-hgjx-r89m-m7v4, exists in FacturaScripts versions 2025 up to and including 2026.2. The flaw resides in the <code>UploadedFile::move()</code> method, which incorrectly concatenates the destination path with the unsanitized <code>getClientOriginalName()</code> from user-supplied filenames. This allows an authenticated attacker to inject <code>../</code> segments into filenames during file uploads, bypassing the intended <code>MyFiles/</code> directory and writing arbitrary files to any location writable by the web server user. This primitive can be leveraged to achieve remote code execution (RCE) by uploading a specially crafted Apache <code>.htaccess</code> file into directories directly served by Apache (such as <code>Dinamic/Assets/</code>), followed by a PHP payload disguised with a benign extension like <code>.png</code>. The vulnerability affects any user with upload privileges, including non-administrative roles.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker obtains valid credentials or an API token with file upload permissions (e.g., to <code>/api/3/uploadfiles</code> or <code>/api/3/attachedfiles</code>).</li>
<li>The attacker crafts an HTTP POST request to a vulnerable upload endpoint (e.g., <code>/api/3/uploadfiles</code>), submitting a file with a malicious filename containing path traversal sequences, such as <code>../Dinamic/Assets/.htaccess</code>.</li>
<li>The <code>UploadedFile::move()</code> method in FacturaScripts processes this filename without proper sanitization, concatenating it with the base directory, causing the <code>.htaccess</code> file to be written into the <code>Dinamic/Assets/</code> directory.</li>
<li>The uploaded <code>.htaccess</code> file contains a directive like <code>AddType application/x-httpd-php .png</code>, instructing Apache to parse <code>.png</code> files as PHP scripts within that directory.</li>
<li>The attacker then initiates a second file upload using the same path traversal technique, delivering a file named <code>../Dinamic/Assets/x.png</code> containing arbitrary PHP code (e.g., <code>&lt;?php phpinfo(); ?&gt;</code>).</li>
<li>The PHP payload is written to <code>Dinamic/Assets/x.png</code> due to the path traversal vulnerability.</li>
<li>The default Apache configuration for FacturaScripts (from <code>htaccess-sample</code>) excludes <code>Dinamic/Assets/</code> from <code>index.php</code> rewrite rules, meaning files in this directory are served directly by Apache.</li>
<li>The attacker accesses <code>https://target/Dinamic/Assets/x.png</code> via a web browser or HTTP request, causing the Apache web server to execute the uploaded PHP code as the web-server user, resulting in remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of GHSA-hgjx-r89m-m7v4 allows an authenticated attacker to achieve full remote code execution (RCE) as the web-server user. This includes the ability to execute arbitrary commands, steal data, deface the website, or compromise the server hosting FacturaScripts. The attacker can also inject client-side script by overwriting legitimate JavaScript or CSS files within the <code>Dinamic/Assets/</code> directory, leading to session takeover for administrators or other users on subsequent page loads. The vulnerability affects a wide range of users, as even non-administrative roles often possess the necessary upload permissions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rules to your SIEM solution to detect attempts to upload malicious <code>.htaccess</code> or PHP files using path traversal.</li>
<li>Monitor <code>webserver</code> logs for HTTP POST requests to <code>/api/3/uploadfiles</code>, <code>/api/3/attachedfiles</code>, or other file upload endpoints that include <code>../</code> sequences in the filename or <code>cs-uri-query</code>.</li>
<li>Patch FacturaScripts to a version greater than 2026.2 immediately upon availability of a fix, as specified in the GitHub Security Advisory GHSA-hgjx-r89m-m7v4.</li>
<li>Implement strong logging for <code>webserver</code> activity, particularly for POST requests and file uploads, to enable detection of the described attack chain.</li>
<li>Ensure server configurations enforce least privilege for the web-server user to minimize potential damage from RCE.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>web-application</category><category>path-traversal</category><category>remote-code-execution</category><category>php</category></item></channel></rss>