White Star Software Protop Directory Traversal Vulnerability Allowing Arbitrary File Read
Vulnerability
A directory traversal vulnerability has been identified in White Star Software Protop version 4.4.2-2024-11-27, specifically within the '/pt3upd/' endpoint. This vulnerability allows an unauthenticated attacker to remotely read arbitrary files from the underlying operating system by sending requests with encoded traversal sequences.
Impact
Exploitation of this vulnerability could lead to local file inclusion, allowing attackers to read sensitive files on the server.
Reproduction
To reproduce this vulnerability, send a GET request to the '/pt3upd/' endpoint with encoded directory traversal sequences. This request can be made using a web browser, curl, or any tool that allows for HTTP requests. The encoded traversal sequences should be crafted to navigate up the directory structure and access files such as '/etc/passwd'.
Remediation
Users are advised to update to the latest version of White Star Software Protop, as the vendor has released a patch for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.