TulipTools Internet Business Owners and Online Sellers Community

Amy alerted me to this problem after she was alerted by another user.  She was able to confirm the existence of this MAJOR account related security hole using a demo of the script.

I'm not going to post the details of this vulnerability in the open because I don't want to give hackers and scammers a free pass to wreak havoc on the dozens of auction sites using this script, but...

If you're an RScript RSAuction site owner send me a PM and I'll fill you in on the nature of the problem.  A major account related security flaw was discovered by a user.  Another person replicated the steps that led to the discovery of the bug and was able to verify the existence of this major security hole using a current demo of the script.

If you're an RScript programmer send me a PM and I'll give you the steps needed to replicate and confirm the existence of this major hole.  You need to issue a patch immediately.

PS for the person responsible for this bit of sloppy programming, a quote from reference.com

Quote:Vulnerabilities often result from the carelessness of a programmer
http://www.reference.com/browse/wiki/Vul...computing)

The bug was first noticed on Wagglepop.  The demo on the RScript site has the same bug therefore the problem most likely affects all sites using the script.

Other RScript sites:

AtOncer
BiddersNSellers
Ewaey
Lowbid
OvernightAuctions
PlunderHere
TheAuctionMan

and about 100 more.

I just reported the flaw to Secunia and gave them the details on how to verify it using the RScript demo.

The RScript demo is using the latest Version 2.73.1.5.1 version

[quote author=bargainbloodhound link=topic=10236.msg51940#msg51940 date=1178204209]
I just reported the flaw to Secunia and gave them the details on how to verify it using the RScript demo.
[/quote]

Secunia listened to you.   They issued an advisory today.

Quote:Description:
switzer has reported a vulnerability in RSAuction, which can be exploited by malicious users to bypass certain security restrictions.

Accounts that are set to Suspended can change their own status to Active by clicking on the activation link that was e-mailed to them when they registered for their account.

Successful exploitation requires valid user credentials.

The vulnerability is reported in version 2.73.1.3. Other versions may also be affected.

Solution:
Edit the source code to stop activation links from changing the status of suspended accounts.

full advisory: http://secunia.com/advisories/25149/

EDIT:  In the 6 days since I posted this quote...

Quote:If you're an RScript RSAuction site owner send me a PM and I'll fill you in on the nature of the problem.

...ZERO RScript auction site owners have contacted me to find out the nature of the security hole - which says something about the importance they place on security on their sites.  Wagglepop is reportedly a regular reader here and PlunderHere is a member - no contact from either one of them.

Quote:Secunia listened to you. Smiley  They issued an advisory today.

Nice job, you guys.

Quote:...ZERO RScript auction site owners have contacted me to find out the nature of the security hole - which says something about the importance they place on security on their sites.  Wagglepop is reportedly a regular reader here and PlunderHere is a member - no contact from either one of them.

Not surprising considering who uses RScript. 8)

Quote:...ZERO RScript auction site owners have contacted me

Worldauctions used it.  Ebay sued them, they closed.
Biduptoday used it.  He had a baby, he closed.

Suzanne the Site Admin at PlunderHere let me know that she wasn't made aware of the problem until yesterday and fixed the problem within hours of the time she learned of it.  I used a test account that Suzanne setup to verify that PlunderHere has fixed the problem. 

Update: RScript has issued a patch.  Script users should update to version 2.73.1.5.2. to fix the security hole.

http://secunia.com/advisories/25149/