Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: web5508.htm

PHPAuction allows anyone to create admin account for this software



3rd Jul 2002 [SBWID-5508]
COMMAND

	PHPAuction allows anyone to create admin account for this software

SYSTEMS AFFECTED

	All release up till today (03 July 2002) ?

PROBLEM

	ethx says :
	

	File  /admin/login.php  checks  only  that  there  is  $action  set   to
	\"insert\" and then goes ahead and inserts  username  and  password  (if
	both are provided) in adminUsers table.
	

	The following line added admin user  with  username  test  and  password
	test
	

	curl

	http://pro.phpauction.org/proplus/admin/login.php -d

	\"action=insert\" -d \"username=test\" -d \"password=test\"

	

SOLUTION

	None yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH