Title: PHPAuction Administrative Interface Authentication Bypass Vulnerability
Severity: HIGH
Description:
PhpAuction is a freely available web-based auction system. It is written using PHP scripting language on a MySQL database engine.
PhpAuction is reported prone to an authentication bypass vulnerability. It is reported that this vulnerability exists due to a weak design of the system used to control access to the PhpAuction administrative interface.
Specifically, it is reported that PhpAuction solely relies on a cookie value 'authenticated=1' being set to differentiate the clients are authenticated to the software and the clients that are not.
By simply editing a session cookie and entering the 'authenticated=1' value an attacker may bypass the PhpAuction authentication system and gain access to the administrative interface.
Affected Products:
- PHPAuction PHPAuction 1.2.0
- PHPAuction PHPAuction 1.3.0
- PHPAuction PHPAuction 2.0.0
- PHPAuction PHPAuction 2.1.0
References:
- PHPauction: PHPauction Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
