I could redirect a user to any other domain than auctiva.com like this:
&nextpage%3dhttp%3a%2f%2fwww.anyotherdomain.com%2f
Also i could generate a token for any auctiva account without to have the username and password of that account just by specifying the &id= in ruparams.
Also there are many others BUGS i found but i believe these are most important, it's about your own security.
Original Post