From: [EMAIL PROTECTED] Operating system: Linux PHP version: 4.0.5 PHP Bug Type: *Session related Bug description: Possible security hole via external modification of session vars This is kind of similar to the old file upload problem, where you could set variables in a POST. In some cases (depends on the way the code is written), if a site stores login status (eg. user name, etc) in session variables after an authorisation check, it is possible to pass values as the same-named session vars, and therefore actually bypass the authorisation step getting access to restricted areas. -- Edit Bug report at: http://bugs.php.net/?id=10902&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]