#4 low-priority security / admin alert

open
nobody
None
5
2002-12-26
2002-12-26
No

the cookie that is issued for the user is the same that
is issued for an administrator. therefore, an ordinary
user may take their cookie and submit it under a
different name, and might think that they can gain
admin privileges.

fortunately, this can only occur on browsers operating
from the ip range 192.168.1.* due to the internal
restrictions in the cgi scripts.

Discussion