PHP sessions, public directory and isolation

, by Ajabep
Tags: writeup, vulnerability

Alwaysdata, a hosting company, recently fixed a vulnerability. Indeed, they stored PHP sessions in a shared directory. This allowed an attacker to know PHP sessions ID, without their content, and in which account it has been used.

Read this article →