Vulnerability found:

In the remote administration there is a script that allows the administrator to add images, text etc. on the webserver. This page is by default located at: /qshop/admin/upload.htm . This page is reachable without authentication.

Using this sample upload script it is possible for a remote attacker to upload files like ntdaddy.asp, cmd.asp, explore.asp on the webserver gaining
full access to the webserver.

Versions affected:

Versions 2.x up to 2.5 rev A

Solution:

Edit admin/outputfile.asp and change the top of the file to:

<%
Response.Expires = 0
Response.Buffer = True
%>
<!--#include file="security.asp"-->
<%
'----------------------------------
'Path where the root of the shop is

This will check that the user has already logged in and redirect the user to the login page otherwise.

After this, you will also need to update admin/security.asp. Where it says:

 If Request.Form("user") <> "" Then
  'check for POSTed authentication information

Change to (the highlighted bit should be in one line):

If InStr(UCASE(Request.ServerVariables("PATH_INFO")),"OUTPUTFILE.ASP") = 0 Then
 If Request.Form("user") <> "" Then
  'check for POSTed authentication information

And then where it says:

    Attempted=True
    Rejected=True
   End If
 End If

Change to

    Attempted=True
    Rejected=True
   End If
 End If
End If

NOTE:

As mentioned in the manual, it is advisable to rename the admin folder to something else to prevent attackers from guessing its location. It is also advisable to protect the folder in the web server with username and password in addition to the default mode.