[35330] in bugtraq
webauction
daemon@ATHENA.MIT.EDU (bq@phk.at)
Wed Jun 16 23:27:26 2004
Date: Tue, 15 Jun 2004 20:33:42 +0200
From: bq@phk.at
To: bugtraq@securityfocus.com
Message-ID: <20040615183342.GA24624@spartakus.phk.at>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
while doing security reviews for a client i found code originating from
http://webauction.de.vu (v2_1) to be severely lacking. e.g. several parts
(del,del_views) allow deletion of items regardless of userid.
the software seems to be unmaintained by now (no response/updates) but being
made aware of other people using their code it's probably better for this to be
public.
Philipp Krammer
