Home page logo
/

bugtraq logo Bugtraq mailing list archives

RO CP root exploit
From: fjlj () wvi com
Date: 30 Jul 2005 08:41:57 -0000

effects 
all versions of ROCP on an apache based system

how it is done
first of all i was testing on my friends ragnarok server witch uses ROCP Version 4.3.4a on an apache based system and 
so i was stunmling through various files i shouldnt have access to such as http://server.com/CP/account_manage.php
this file will bring up a list of users and passes but of course i got ACCESS DENIED so i looked at its source on my 
machine and saw that it uses 
CHECK_AUTH($_SERVER['PHP_SELF']);
to check the auth so then i tried
http://server.com/CP/account_manage.php/login.php
(login.php is of course the login page and is open to guests) and all of a sudden i had access to account_manage.php 
due to the way apache handles this string. and then i had ever account name and un encrypted password. as well as this 
site i had acess to every site i wasnt supposed to such as privileges.php/login.php or char_manage.php/login.php and 
then i could search for my character and click edit and i would get access denied but then in the address bar i see 
that it tried to goto char_manage.php/char_manage.php?search=user so i changed it to 
char_manage.php/login.php?search=user and bingo 

how to fix this
instead of using
CHECK_AUTH($_SERVER['PHP_SELF']);
try using something like
CHECK_AUTH(substr($_SERVER['SCRIPT_NAME'],4));
or 
check_auth("pagename.php");
or simply
echo (substr(__FILE__,12));

thanks
VaLiuS 
AKA
FJLJ


  By Date           By Thread  

Current thread:
  • RO CP root exploit fjlj (Jul 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]