CVE-2007-4723 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a "/...../" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Http Server
Ragnarok Online Control Panel Project	Ragnarok Online Control Panel

Configuration 1 [-]

AND

cpe:2.3:a:ragnarok_online_control_panel_project:ragnarok_online_control_panel:4.3.4a:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/45879
http://securityreason.com/securityalert/3100
http://www.securityfocus.com/archive/1/478263/100/0/threaded

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-09-05T19:00:00

Updated: 2024-08-07T15:08:32.958Z

Reserved: 2007-09-05T00:00:00

Link: CVE-2007-4723

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-09-05T19:17:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-4723

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-08-31T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a \"/...../\" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-15T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "3100", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/3100"}, {"name": "20070831 Ragnarok Online Control Panel Authentication Bypass Vulnerability [new method]", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/478263/100/0/threaded"}, {"name": "45879", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/45879"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-4723", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a \"/...../\" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "3100", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/3100"}, {"name": "20070831 Ragnarok Online Control Panel Authentication Bypass Vulnerability [new method]", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/478263/100/0/threaded"}, {"name": "45879", "refsource": "OSVDB", "url": "http://osvdb.org/45879"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T15:08:32.958Z"}, "title": "CVE Program Container", "references": [{"name": "3100", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/3100"}, {"name": "20070831 Ragnarok Online Control Panel Authentication Bypass Vulnerability [new method]", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/478263/100/0/threaded"}, {"name": "45879", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/45879"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-4723", "datePublished": "2007-09-05T19:00:00", "dateReserved": "2007-09-05T00:00:00", "dateUpdated": "2024-08-07T15:08:32.958Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ragnarok_online_control_panel_project:ragnarok_online_control_panel:4.3.4a:*:*:*:*:*:*:*", "matchCriteriaId": "12F2E1BB-7D48-4816-85B2-6E6AF67B5A44", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A6CD1F4-4C0E-4989-A2B3-DC086E8E80A3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a \"/...../\" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en Ragnarok Online Control Panel 4.3.4a, cuando se utiliza Apache HTTP Server, permite a atacantes remotos evitar la autenticaci\u00f3n mediante secuencias de salto de directorio en un URI que termina con el nombre de una p\u00e1gina p\u00fablicamente disponible, como ha sido demostrado por la secuencia \"/...../\" y un componente final account_manage.php/login.php para acceder a la p\u00e1gina protegida account_manage.php."}], "id": "CVE-2007-4723", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-09-05T19:17:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://osvdb.org/45879"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://securityreason.com/securityalert/3100"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/478263/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://osvdb.org/45879"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://securityreason.com/securityalert/3100"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/478263/100/0/threaded"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}