Ragnarok Online Control Panel Authentication Bypass Vulnerability [new method]

VaLiuS has reported a vulnerability in Ragnarok Online Control Panel, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error in the authentication process when checking page access. This can be exploited to bypass the authentication process via a specially crafted URL with an appended non-restricted page.

The /.../ reffers to directory crawling

Example:
http://www.example.com/CP/...../account_manage.php/login.php

Successful exploitation requires that files are served from an Apache HTTP server.

The vulnerability has been reported in version 4.3.4a. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that the authentication process is properly performed.

PROVIDED AND/OR DISCOVERED BY:
Calypso Steweren Received on Fri Aug 31 11:47:20 2007

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek