secuvera GmbH 
			  (former Tele-Consulting GmbH
			security | networking | training)
			
				advisory 04/12/21

Topic:
	PHPAuction Administrative Interface Authentication Bypass Vulnerability

Summary:
	Due to poor checks at the login interface, it's possible to login to the
	admin interface on several webauction systems without having username or
	password.

Cause:
	Every script located in the /admin/ directory checks if
	$HTTP_COOKIE_VARS["authenticated"] is set. If the value is set to "1",
	access is granted.
	All you have to to is to make such a cookie to be logged in.

Effect:
	An attacker gets full access to the admin interface, therefore possibility
	to view, edit or delete users and auctions as well as more administrative
	triggers.
	Depending on the scriptsystem and it's enhancements an attacker also gets
	further information about the database host, user and pass.

Solution:
	I       protect the admin folder with .htaccess
	II      upgrade to a new piece of software :)
	III     rewrite the cookie based authentication in a secure way

Affected products:
	all systems based on old releases of phpauction.org GPL with cookie based
	authentication and these releases of PHPAuction:
	- PHPAuction 1.2
	- PHPAuction 1.3
	- PHPAuction 2.0
	- PHPAuction 2.1

Vendors Response:
	vendors with affected products I know were contacted on 04/12/17.

	- phpauction.org has published several newer releases without this
   	  vulnerability and for that has not been noticed
	- haggler.de "Remote host said: 550 User unknown"
	- phpauktion.de told me that all customers are advised to use .htaccess
	  protection of the /admin/ folder (meanwhile also realized in their online
	  demo) and the premium version doesn't use cookie authentication anymore
	- phpauction.de.vu did not respond, download is still available

Credits:
        Tobias Glemser (tglemser@secuvera.de)
        secuvera GmbH, Germany (former Tele-Consulting security networking training GmbH)
        www.secuvera.de