| VID |
21651 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHPAuction software is vulnerable to an authentication bypass vulnerability. PHPAuction is an open-source online auction software package, developed by Gianluca Baldo. PHPAuction version 2.1 and earlier versions could allow a remote attacker to gain unauthorized administrative access, caused by a design error of the authentication system used to control access to the PHPAuction administrative interface. By simply editing a session cookie value, a remote attacker could bypass the PHPAuction authentication system and gain access to the administrative interface.
* References:
http://pentest.tele-consulting.com/advisories/04_12_21_phpauction.txt
* Platforms Affected:
Gianluca Baldo, PHPAuction version 2.1 and earlier versions
Linux Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of PHPAuction (greater than 2.1), available from the PHPAuction Web site at http://www.phpauction.org/html/index.php |
| Related URL |
(CVE) |
| Related URL |
12069 (SecurityFocus) |
| Related URL |
(ISS) |
|
