Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   PvPGN Vendors:
PvPGN statsreq Packet Flaw Lets Remote Users Access Arbitrary Accounts
SecurityTracker Alert ID:  1011050
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 25 2004
Impact:   Disclosure of authentication information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.6.4
Description:   A vulnerability was reported in PvPGN. A remote user can obtain any user's password hash and then gain access to the target user's account.

The vendor reported that there is a flaw in the processing of the statsreq packet. A remote user can query arbitrary attributes for arbitrary accounts.

A remote user can query the 'passhash' attribute to obtain the target user's hashed password and then use that information to gain access to the target user's account.

dizzy is credited with reporting this flaw.

Impact:   A remote user can gain access to arbitrary user accounts
Solution:   The vendor has issued a fixed version (1.6.4), available at:

Some patches are also available.

For 1.6.x users, apply the patch from:

For 1.7.x users:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC