Another security bug thats very prevalent is SQL injection. Just pick any variable used in list.php or system.php ect for an SQL statement and drop in your own query. Best one to use is the "dir" variable as it finishes the query so its easy to make it something like:
http://<site>/openaudit/list.php?dir=ASC;delete * from.........
This combined with the password bypass vulnerability gives a user unrestricted access to your database:
http://<site>/openaudit/list.php?page=add_pc&dir=ASC;drop .......
Obviously, this is really dangerous. Filtering of the _REQUEST, _POST, and _GET variables are required and can be done in include.php. Just a quick example:
[code]
foreach( array_keys($_REQUEST) as $key ) {
// allow variables to have 0-9 and a-z with underscores and dashes
if( !preg_match("/^[0-9a-z_-]+$/i", $_REQUEST[$key] ) ) {
print("Invalid characters found in \"$key\". Terminating...<br>");
die();
}
}[/code]