lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070831120551.11893.qmail@securityfocus.com>
Date: 31 Aug 2007 12:05:51 -0000
From: dp14@...mail.com
To: bugtraq@...urityfocus.com
Subject: Ragnarok Online Control Panel Authentication Bypass Vulnerability
 [new method]

VaLiuS has reported a vulnerability in Ragnarok Online Control Panel,
which can be exploited by malicious people to bypass certain security
restrictions.

The vulnerability is caused due to an error in the authentication
process when checking page access. This can be exploited to bypass
the authentication process via a specially crafted URL with an
appended non-restricted page.

The /.../ reffers to directory crawling

Example:
http://www.example.com/CP/...../account_manage.php/login.php

Successful exploitation requires that files are served from an Apache
HTTP server.

The vulnerability has been reported in version 4.3.4a. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that the authentication process is
properly performed.

PROVIDED AND/OR DISCOVERED BY:
Calypso Steweren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ