[NewsReader42]

if(isset($_COOKIE['4chan_auser'])&&isset($_COOKIE['4chan_apass'])){ $user = mysql_real_escape_string($_COOKIE['4chan_auser']); $pass = mysql_real_escape_string($_COOKIE['4chan_apass']); }

HAHAHAHAAHAHAHAHAA

Steal a cookie, gain access.. WTF

[kawsper]

Aren't you able to hijack sessions on most webpages if you stole session cookies?

[odonnellryan]

The real problem is: "extract($_POST); extract($_GET); extract($_COOKIE);"

For more information on extract: http://www.php.net/extract

[cyphunk]

Docu on extract():

    Description 
       Import variables from an array into the current symbol table.
       If flags is not specified, it is assumed to be EXTR_OVERWRITE.

       EXTR_OVERWRITE
          If there is a collision, overwrite the existing variable.

The danger is that any state variables set before the extract($_...)'s can be overwritten arbitrarily. This also makes it essential that any and every variable is instantiated prior to any use.

[mandalar12]

Does it mean that the password is stored in the cookie or I am missing something ?

[spoiler]

It's probably a hashed version. It would be horrendous if it was actually stored in plain text.

[Kiro]

How do you "steal" a cookie?

[aidos]

The best bet is generally an xss attack. Though there are other ways, you could sniff one on a wireless network if no encryption is in use.

[exDM69]

Get on the same WiFi as your target, open up Wireshark and grab their HTTP communications.

To make this easier, there was/is a tool called Firesheep that can be used to hijack session cookies. The popularity of Firesheep caused many sites to enable HTTPS by default (e.g. Facebook did so).

[Kiro]

If you need to be on the same WiFi as your target I really don't see the big problem, realistically speaking.

[terminado]

Common, shared wired LANs at offices and workplaces are a problem. Home LANs, where family members need privacy from one another, is also a problem.