ID: 10902 User Update by: [EMAIL PROTECTED] Status: Open Bug Type: *Session related Operating system: Linux PHP Version: 4.0.5 Description: Possible security hole via external modification of session vars Not really a bug, just an issue. Previous Comments: --------------------------------------------------------------------------- [2001-05-16 10:17:14] [EMAIL PROTECTED] This is kind of similar to the old file upload problem, where you could set variables in a POST. In some cases (depends on the way the code is written), if a site stores login status (eg. user name, etc) in session variables after an authorisation check, it is possible to pass values as the same-named session vars, and therefore actually bypass the authorisation step getting access to restricted areas. --------------------------------------------------------------------------- Full Bug description available at: http://bugs.php.net/?id=10902 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
