Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RO CP root exploit

from [fjlj] Network Security [Permanent Link]
Subject: RO CP root exploit
Date: 30 Jul 2005 08:41:57 -0000 
effects 
all versions of ROCP on an apache based system

how it is done
first of all i was testing on my friends ragnarok server witch uses ROCP 
Version 4.3.4a on an apache based system and so i was stunmling through various 
files i shouldnt have access to such as http://server.com/CP/account_manage.php
this file will bring up a list of users and passes but of course i got ACCESS 
DENIED so i looked at its source on my machine and saw that it uses 
CHECK_AUTH($_SERVER['PHP_SELF']);
to check the auth so then i tried
http://server.com/CP/account_manage.php/login.php
(login.php is of course the login page and is open to guests) and all of a 
sudden i had access to account_manage.php due to the way apache handles this 
string. and then i had ever account name and un encrypted password. as well as 
this site i had acess to every site i wasnt supposed to such as 
privileges.php/login.php or char_manage.php/login.php and then i could search 
for my character and click edit and i would get access denied but then in the 
address bar i see that it tried to goto 
char_manage.php/char_manage.php?search=user so i changed it to 
char_manage.php/login.php?search=user and bingo 

how to fix this
instead of using
CHECK_AUTH($_SERVER['PHP_SELF']);
try using something like
CHECK_AUTH(substr($_SERVER['SCRIPT_NAME'],4));
or 
check_auth("pagename.php");
or simply
echo (substr(__FILE__,12));

thanks
VaLiuS 
AKA
FJLJ
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RO CP root exploit, fjlj <=
Previous by Date:  [HSC Security Group] SQL Injection in Product Cart 2.6, zinho
Next by Date:  [Full-disclosure] [ GLSA 200507-28 ] AMD64 x86 emulation base libraries: Buffer overflow, Thierry Carrez
Previous by Thread:  [HSC Security Group] SQL Injection in Product Cart 2.6, zinho
Next by Thread:  [Full-disclosure] [ GLSA 200507-28 ] AMD64 x86 emulation base libraries: Buffer overflow, Thierry Carrez
Indexes:  [Date] [Thread] [Top] [All Lists]