Intelligence
criticalVulnerabilityActive

FacturaScripts Path Traversal in File Upload Handler — Unauthenticated RCE via Directory Escape and .htaccess Write

Authenticated users can bypass file upload restrictions in FacturaScripts by injecting `../` sequences into client-supplied filenames, enabling arbitrary file writes outside the intended `MyFiles/` directory. Combined with `.htaccess` exclusion bypass, this escalates to remote code execution via executable file placement in web-accessible directories.

S
Sebastion

Affected

facturascripts/facturascripts

Vulnerability Description

The UploadedFile::move() method in FacturaScripts concatenates a destination directory with a client-supplied filename using simple string concatenation, without canonicalizing or validating the resulting path. The root cause is the absence of path normalization (e.g., realpath(), basename(), or regex validation) on $destinyName before filesystem operations. All call sites pass getClientOriginalName() — the unsanitized HTTP filename — directly into the vulnerable concatenation. This allows authenticated attackers to inject directory traversal sequences (../) to escape the intended MyFiles/ sandbox and write files to arbitrary locations writable by the web-server process user.

Proof-of-Concept Significance

This PoC demonstrates a chained vulnerability: (1) path traversal enables write access outside the intended directory, and (2) the Apache configuration in htaccess-sample (the documented production setup) explicitly excludes Dinamic/Assets/ and node_modules/ from the index.php rewrite rule, causing files placed there to be served directly rather than routed through PHP. Critically, .htaccess is not listed in BLOCKED_EXTENSIONS, meaning an attacker can write a malicious .htaccess file to re-enable PHP execution in restricted directories or change MIME-type handlers. The attack requires authentication (file upload capability) but results in unauthenticated remote code execution once the payload is deployed. Reliability is high because it depends only on filesystem permissions and Apache module availability (mod_rewrite, mod_dir).

Detection Guidance

Web Application Firewall (WAF) Rules:

  • Monitor HTTP POST requests to file upload endpoints with Content-Disposition headers containing ../, ..\, %2e%2e/, or Unicode/double-encoding variants of path traversal payloads.
  • Alert on filenames containing sequences like ../../../, ..\/, or encoded traversal even if rejected by the application.

Log Indicators:

  • Successful writes to Dinamic/Assets/, node_modules/, or other non-upload directories in web-accessible paths.
  • .htaccess files created or modified after user-initiated upload requests.
  • Executable files (.php, .phtml, .pht) appearing in web-accessible directories outside the upload folder.
  • File operations on paths containing ../ in access logs (if enabled).

YARA Rule Concept:

rule FileUploadPathTraversal {
    strings:
        $traversal = { 2E 2E 2F } // ../
        $htaccess = ".htaccess"
        $php_ext = /\.(php|phtml|pht|php3|php4|php5)$/i
    condition:
        ($traversal and $php_ext) or ($traversal and $htaccess)
}

Mitigation Steps

  1. Immediate Patch: Update FacturaScripts to the patched version. The fix must normalize the destination path using realpath() on the combined path and verify it remains within the intended directory, rejecting any attempt to escape.
  2. Input Validation: Use basename() on $destinyName to strip any directory components before concatenation:
    $safe_name = basename($destinyName);
  3. Whitelist Extensions: Expand BLOCKED_EXTENSIONS to include .htaccess and other Apache configuration files.
  4. Configuration Hardening: If patching is delayed, configure .htaccess or web.config to block direct execution in Dinamic/Assets/ and node_modules/ using explicit deny from all or php_flag engine off.
  5. Principle of Least Privilege: Ensure the web-server process runs with minimal filesystem permissions; restrict write access to MyFiles/ and similar directories only.

Risk Assessment

Likelihood of Exploitation: High in production environments where authenticated users (employees, partners) have upload privileges. Moderate-to-High for internet-facing instances where initial access can be gained through credential compromise or secondary vulnerabilities. The attack is trivial to execute — standard path traversal techniques require no special tooling.

Threat Actor Interest: This vulnerability is highly attractive to opportunistic attackers and targeted adversaries because it provides unauthenticated code execution on the server. Known threat actors targeting small-to-medium business accounting software would prioritize exploiting this primitive. The chaining of path traversal + .htaccess bypass + RCE makes this a high-confidence attack path suitable for both automated scanning and manual exploitation campaigns.