Secunia

Some vulnerabilities have been reported in PHPAuctions, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct SQL injection and cross-site scripting attacks, and bypass certain security restrictions.

1) Input passed to the "user_id" parameter in profile.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to the "user_id" parameter in profile.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

3) The application allows access to user accounts by checking if a certain cookie exists. This can be exploited to gain access to another user's control panel by creating the cookie "PHPAUCTION_RM_ID" and assigning it the value corresponding to the desired user.

4) Input passed to the "Item Description" when adding a new auction is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site if malicious data is viewed.

Successful exploitation of this vulnerability requires valid user credentials.

5) Input passed to the "cat" parameter in viewfaqs.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution
Edit the source code to ensure that input is properly sanitised.
Further details available in Customer Area

Provided and/or discovered by
1) x0r
2) ZoRLu
4) Sid3^effects
5) BorN To K!LL - h4ck3r

Changelog
Further details available in Customer Area

Original Advisory
1) http://milw0rm.com/exploits/7672
2) http://milw0rm.com/exploits/7674
4) http://www.exploit-db.com/exploits/13892/

Deep Links
Links available in Customer Area