ID: 10902
Updated by: cynic
Reported By: [EMAIL PROTECTED]
Old-Status: Open
Status: Bogus
Bug Type: *Session related
Operating system:
PHP Version: 4.0.5
Assigned To:
Comments:
this could only happen with a misconfigured PHP - you would have to set it to register
globals AND extract GET/POST data AFTER session data.
proper configuration is an admin reponsibility.
Previous Comments:
---
[2001-05-16 10:19:23] [EMAIL PROTECTED]
Not really a bug, just an issue.
---
[2001-05-16 10:17:14] [EMAIL PROTECTED]
This is kind of similar to the old file upload problem, where you could set variables
in a POST.
In some cases (depends on the way the code is written), if a site stores login status
(eg. user name, etc) in session variables after an authorisation check, it is possible
to pass values as the same-named session vars, and therefore actually bypass the
authorisation step getting access to restricted areas.
---
ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=10902edit=2
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]