> > Sure, why not? Users can't create session variables (unless you're
on a
> > virtual server...)
> ... and I am -- A shared host server that is.

Now I'm not sure on this, I haven't tested it. Has anyone?

If we're on a virtual server, why can't I just open the
session.save_path with PHP and read all of the files. Determine which
one is yours and try to determine which variables you are saving. Say
you are setting $_SESSION['logged_in'] = 1 and $_SESSION['admin'] =
"Yes". Then your session file will look like a serialized version of the
$_SESSION array. 

So say I figure out which ones are yours. I use a PHP script to write my
own bad_session_file.whatever in the session folder. Then I call up your
web page with www.example.com?PHPSESSID=bad_session_file and PHP will
load up the session file I just created and make me an admin... 

Like I said, I haven't tested it though. Safe mode might protect against
this, not sure. Anyone have any experience here?

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to