Valerie Holfield reported a vulnerability in the automatic login feature in phpmyfamily.
> When a visitor (someone who's not logged in) clicks to > download a document and then leaves the page, they > are automatically logged in as 'nobody.' > 'Nobody' now has the right to add people, change > information, upload and delete documents and images, > and is even given the option to change password > (although not sure what the system considers the > current password to be).
The vendor subsequently reported that the flaw only affects systems with "register_globals = On" in their 'php.ini' file.
