We touched on a similar issue last week in Zabbix where the ability to access the setup process after it was complete could lead to compromising the system. In this situation no extra trickery was necessary as it appears to have been a bad conditional allowing reentry to the setup functionality.

if (string.IsNullOrEmpty(text) && Dynamicweb.Content.Management.Setup.SetupCompleted())
{
	base.Response.Redirect("/Admin");
}

The above code probably meant to use || instead of &&, creating the condition of, if text is empty or SetupCompleted() redirect to /Admin. Instead as the && is used, it only redirects when both conditions are true, if an attacker provides an action, it won’t redirect and will go to the HandleAction method of the setup.

HandleAction provides the usual suite of setup functionality like copying files to the system, setting database configuration information, and creating administrative users.