OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ethxhotmail.com
Date: Tue Jul 02 2002 - 10:42:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) A bug in the PHPAuction code allows anyone to create
    admin account for this software.

    This is the part of the email sent on Jun 28th to
    softwarephpauction.org

    --------------

    The reason I am writing this is major bug in your code.
    File /admin/login.php checks only that there is $action
    set to "insert" and then goes ahead and inserts
    username and password (if both are provided) in
    adminUsers table.

    I understand that this is done to make
    the installation simple, and if you insist in keeping
    this feature, at least do the referrer check to make
    sure request is coming from the page you think it is.

    The other solution is to put "action" in the session,
    rather then checking for POST vars.

    The following line added admin user with username test
    and password test

    curl
    http://pro.phpauction.org/proplus/admin/login.php -d
    "action=insert" -d "username=test" -d "password=test"

    ------------------

    There was no response to this email to date.

    Bug exists in all versions of this software found at:
    www.phpauction.org and pro.phpauction.org