SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   webAuction Vendors:   webauction.de.vu
webAuction Lets Remote Users Delete Auction Items
SecurityTracker Alert ID:  1010511
SecurityTracker URL:  http://securitytracker.com/id/1010511
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 17 2004
Impact:   Modification of user information

Version(s): 2_1
Description:   Some vulnerabilities were reported in webAuction. A remote authenticated user can delete items on the auction site.

Philipp Krammer reported that some of the pages allow users to delete items regardless of the user's privileges. The report implied that other problems may also exist.

Impact:   A remote authenticated user can delete auction items.
Solution:   No solution was available at the time of this entry.
Vendor URL:  box.s-w-web.net/forum/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  webauction



while doing security reviews for a client i found code originating from
http://webauction.de.vu (v2_1) to be severely lacking. e.g. several parts
(del,del_views) allow deletion of items regardless of userid.
the software seems to be unmaintained by now (no response/updates) but being 
made aware of other people using their code it's probably better for this to be
public.

Philipp Krammer

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC