Executive Summary

This vulnerability exists in FacturaScripts, an open source accounting and invoicing software, prior to version 2026. It allows any remote attacker to trigger the phpinfo() function on a fresh FacturaScripts deployment without authentication by requesting the URL parameter /?phpinfo=TRUE.

Triggering phpinfo() exposes the full PHP configuration, server environment variables, filesystem paths, and loaded extensions. This includes sensitive information such as database credentials, API keys, or application secrets that are set as environment variables.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to significant information disclosure, exposing sensitive server and application configuration details to unauthenticated remote attackers.

• Exposure of database credentials could allow attackers to access or manipulate the database.
• Disclosure of API keys and application secrets could enable unauthorized access to other integrated services.
• Revealing filesystem paths and server environment details can aid attackers in crafting further attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if an unauthenticated request to the FacturaScripts installation triggers the phpinfo() output. Specifically, sending a request to the URL path /?phpinfo=TRUE on a fresh FacturaScripts deployment will reveal if the vulnerability is present.

A simple command to test this from a system with curl installed would be:

• curl -i http://<target-host>/?phpinfo=TRUE

If the response contains detailed PHP configuration information, server environment variables, or database credentials, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade FacturaScripts to version 2026 or later, where this issue has been fixed.

Until the upgrade can be performed, restrict access to the installation endpoint or block requests containing the parameter phpinfo=TRUE to prevent unauthenticated attackers from triggering the phpinfo() disclosure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated remote attackers to access sensitive server and PHP configuration details, including environment variables that may contain database credentials, API keys, or application secrets.

Exposure of such sensitive information can lead to unauthorized access to personal data or protected health information, potentially violating data protection regulations such as GDPR and HIPAA.

Therefore, the vulnerability poses a risk to compliance with these standards by increasing the likelihood of data breaches or unauthorized data exposure.

Useful 0 Not Useful 0