[26032] in bugtraq
PHPAuction bug
daemon@ATHENA.MIT.EDU (ethx@hotmail.com)
Tue Jul 2 15:43:09 2002
Date: 2 Jul 2002 15:42:43 -0000
Message-ID: <20020702154243.8661.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <ethx@hotmail.com>
To: bugtraq@securityfocus.com
A bug in the PHPAuction code allows anyone to create
admin account for this software.
This is the part of the email sent on Jun 28th to
software@phpauction.org
--------------
The reason I am writing this is major bug in your code.
File /admin/login.php checks only that there is $action
set to "insert" and then goes ahead and inserts
username and password (if both are provided) in
adminUsers table.
I understand that this is done to make
the installation simple, and if you insist in keeping
this feature, at least do the referrer check to make
sure request is coming from the page you think it is.
The other solution is to put "action" in the session,
rather then checking for POST vars.
The following line added admin user with username test
and password test
curl
http://pro.phpauction.org/proplus/admin/login.php -d
"action=insert" -d "username=test" -d "password=test"
------------------
There was no response to this email to date.
Bug exists in all versions of this software found at:
www.phpauction.org and pro.phpauction.org
