A bug in the PHPAuction code allows anyone to create admin account for this software. This is the part of the email sent on Jun 28th to software@phpauction.org -------------- The reason I am writing this is major bug in your code. File /admin/login.php checks only that there is $action set to "insert" and then goes ahead and inserts username and password (if both are provided) in adminUsers table. I understand that this is done to make the installation simple, and if you insist in keeping this feature, at least do the referrer check to make sure request is coming from the page you think it is. The other solution is to put "action" in the session, rather then checking for POST vars. The following line added admin user with username test and password test curl http://pro.phpauction.org/proplus/admin/login.php -d "action=insert" -d "username=test" -d "password=test" ------------------ There was no response to this email to date. Bug exists in all versions of this software found at: www.phpauction.org and pro.phpauction.org
