Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Tue Jul 02 2002 - 10:42:43 CDT
('binary' encoding is not supported, stored as-is)
A bug in the PHPAuction code allows anyone to create
admin account for this software.
This is the part of the email sent on Jun 28th to
The reason I am writing this is major bug in your code.
File /admin/login.php checks only that there is $action
set to "insert" and then goes ahead and inserts
username and password (if both are provided) in
I understand that this is done to make
the installation simple, and if you insist in keeping
this feature, at least do the referrer check to make
sure request is coming from the page you think it is.
The other solution is to put "action" in the session,
rather then checking for POST vars.
The following line added admin user with username test
and password test
"action=insert" -d "username=test" -d "password=test"
There was no response to this email to date.
Bug exists in all versions of this software found at:
www.phpauction.org and pro.phpauction.org