Bugtraq: PHPAuction bug

[<ethx () hotmail com>]

A bug in the PHPAuction code allows anyone to create
admin account for this software.

This is the part of the email sent on Jun 28th to 
software () phpauction org

--------------

The reason I am writing this is major bug in your code. 
File /admin/login.php checks only that there is $action
set to "insert" and then goes ahead and inserts
username and password (if both are provided) in
adminUsers table. 

I understand that this is done to make
the installation simple, and if you insist in keeping
this feature, at least do the referrer check to make
sure request is coming from the page you think it is. 

The other solution is to put "action" in the session,
rather then checking for POST vars.

The following line added admin user with username test
and password test

curl
http://pro.phpauction.org/proplus/admin/login.php -d
"action=insert" -d "username=test" -d "password=test"

------------------

There was no response to this email to date.

Bug exists in all versions of this software found at:
www.phpauction.org and pro.phpauction.org