I've made some tests here and could reproduce the same vulnerability behaviour
described in your advisory.
Reading about session handlers, in php.ini, there is an option called
"session.use_only_cookies", that, if set, avoids such sort of attack which
involves passing session ids in URLs.
U...
I've made some tests here and could reproduce the same vulnerability behaviour
described in your advisory.
Reading about session handlers, in php.ini, there is an option called
"session.use_only_cookies", that, if set, avoids such sort of attack which
involves passing session ids in URLs.
U...
[ more ]