Atheos Cloud IDE Path Traversal Vulnerability Allowing Arbitrary File Access and Execution

A path traversal vulnerability has been identified in Atheos, a self-hosted cloud IDE, in versions prior to 559. The vulnerability arises from improper validation of the $path and $target parameters across multiple components, enabling authenticated attackers to read, modify, or execute arbitrary files on the server. Exploitation can be achieved through various attack vectors present in multiple PHP files, including unauthorized file access, execution of malicious code, and arbitrary file uploads.

Impact

Successful exploitation allows attackers to access sensitive files, execute arbitrary PHP code, and upload malicious files to unauthorized locations.

Reproduction

The vulnerability can be reproduced by sending requests to the affected PHP components with crafted path or filename parameters that traverse directories. For example, accessing 'download.php' or 'filemanager.php' with a filename parameter that includes directory traversal sequences can expose sensitive files like '/etc/passwd'. Alternatively, 'dialog.php' can be exploited by uploading a malicious dialog file that executes unauthorized code. The vulnerability also allows for arbitrary file uploads by manipulating the 'upload' parameter to include a malicious PHP file, which can then be executed via a crafted request.

Remediation

Users should update to Atheos version 600 or later, where this vulnerability has been fixed.