A critical path traversal vulnerability has been identified in the AllSky software, rated with a CVSS score of 9.8. This flaw allows an unauthenticated attacker on the network to write arbitrary files to the server, which can be leveraged to upload a webshell and achieve complete remote code execution. Successful exploitation would result in a full compromise of the affected system, enabling data theft, service disruption, and further network intrusion.

The vulnerability exists within the /includes/save_file.php script. The script fails to properly sanitize user-supplied input for the path parameter, making it susceptible to path traversal attacks (e.g., using ../../ sequences). An unauthenticated attacker can send a specially crafted POST request to this endpoint, manipulating the path parameter to specify a file location outside of the intended directory and using the content parameter to provide malicious code, such as a PHP webshell. This allows the attacker to write an executable file to a web-accessible location on the server, leading to unauthenticated remote code execution.

This vulnerability is of critical severity with a CVSS score of 9.8, posing a significant and immediate threat to the organization. A successful exploit grants an attacker complete control over the affected server, leading to severe consequences such as the exfiltration of sensitive data, deployment of ransomware, or manipulation of critical system functions. The compromised server could also be used as a pivot point to launch further attacks against the internal network. A public-facing breach of this nature could result in significant reputational damage, financial loss, and potential regulatory penalties.

Immediate Action: Immediately apply the security patches provided by the vendor by updating the AllSky software to the latest secure version. After patching, review web server access logs for any indicators of compromise or exploitation attempts targeting the /includes/save_file.php endpoint.

Proactive Monitoring: Monitor web server logs for suspicious POST requests to /includes/save_file.php, specifically looking for path traversal sequences like ../ or their URL-encoded equivalents (..%2f) in the request parameters. Implement file integrity monitoring (FIM) to detect the creation of unexpected files (e.g., .php) in web-accessible directories.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Use a Web Application Firewall (WAF) to create a rule that blocks any requests to /includes/save_file.php containing path traversal patterns.
• Restrict network access to the AllSky application, allowing connections only from trusted IP addresses.
• If the functionality is not business-critical, disable or remove the save_file.php file from the web server.

Public Exploit Available: false

Due to the critical severity of this vulnerability, which allows for unauthenticated remote code execution, immediate action is required. We strongly recommend that organizations running affected versions of AllSky prioritize applying the vendor-supplied patch without delay to prevent a full system compromise. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact makes it a prime candidate for future inclusion. Proactive patching is the most effective defense against this threat.