#26 When going between "Bobb's" programs user may auto-login

0.9.3
closed-fixed
Brandon Nimon
Security (23)
4
2005-08-30
2005-08-30
Brandon Nimon
No

Due to the design of PHP Sessions, if a user goes from
one of "Bobb's" programs (File Manage/PHP Guestbook
Admin/etc) on the same server and has the same username
and password they will automatically be logged in.
Since they will have needed to be the same username and
password, this isn't much of a security problem, but a
problem nonetheless.

Discussion

  • Brandon Nimon
    Brandon Nimon
    2005-08-30

    Logged In: YES
    user_id=1049916

    Now it checks the accessed file's path and references it
    against the PHP session info.

     
  • Brandon Nimon
    Brandon Nimon
    2005-08-30

    • assigned_to: nobody --> bnimon
    • status: open --> closed-fixed