CVE-2024-44373
📋 TL;DR
CVE-2024-44373 is a critical path traversal vulnerability in AllSky software that allows unauthenticated attackers to write arbitrary files to the server, leading to webshell creation and remote code execution. This affects AllSky installations from v2023.05.01 through v2024.12.06_06. Any organization using vulnerable AllSky versions with the /includes/save_file.php endpoint accessible is at risk.
💻 Affected Systems
- AllSky
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the server, deploying persistent backdoors, stealing sensitive data, and pivoting to other systems.
Likely Case
Attacker creates webshells to execute arbitrary commands, installs cryptocurrency miners or ransomware, and establishes persistent access to the system.
If Mitigated
Limited impact with proper network segmentation and file system permissions preventing lateral movement and critical system access.
🎯 Exploit Status
Exploitation is trivial with publicly available proof-of-concept code. Attackers can easily automate exploitation across vulnerable systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2024.12.06_07 and later
Vendor Advisory: https://github.com/AllskyTeam/allsky/releases
Restart Required: No
Instructions:
1. Backup current configuration and data. 2. Download latest version from GitHub releases. 3. Replace vulnerable files with patched versions. 4. Verify /includes/save_file.php has proper path validation.
🔧 Temporary Workarounds
Block save_file.php endpoint
allTemporarily block access to the vulnerable endpoint via web server configuration
# Apache: <Location "/includes/save_file.php"> Require all denied </Location>
# Nginx: location ~ /includes/save_file\.php$ { deny all; }
Restrict file system permissions
linuxLimit web server write permissions to only necessary directories
chmod 755 /var/www/html
chown root:www-data /var/www/html
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;
🧯 If You Can't Patch
- Implement strict network access controls to limit access to AllSky web interface
- Deploy web application firewall with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if /includes/save_file.php exists and is accessible without authentication. Test with controlled path traversal payload to verify write capability.Check Version:
grep -r "version.*202" /var/www/html/allsky/config/*.conf 2>/dev/null || cat /var/www/html/allsky/version.txt 2>/dev/nullVerify Fix Applied:
Verify version is v2024.12.06_07 or later. Test that save_file.php now validates file paths and rejects directory traversal attempts.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /includes/save_file.php with path parameter containing ../ sequences
- Web server error logs showing file write attempts to unexpected locations
- Creation of suspicious PHP files in web directories
Network Indicators:
- Unusual outbound connections from AllSky server to unknown IPs
- HTTP requests with path traversal patterns in POST parameters
SIEM Query:
source="web_access.log" AND uri="/includes/save_file.php" AND (path="*../*" OR content="*<?php*" OR content="*eval(*")