[原文]The Next action in PEAR HTML_QuickForm_Controller 1.0.4 includes the SID in the URL even when session.use_only_cookies is configured, which allows remote attackers to obtain the SID via an HTTP Referer field and possibly other vectors.
PEAR HTML_QuickForm_Controller URL Session ID Disclosure
Remote / Network Access
Loss of Confidentiality
PEAR HTML_QuickForm_Controller contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is due to an improper handling of the session.use_only_cookies directive and may disclose the session ID in the URL to a remote attacker.
It has been reported that this issue has been fixed. Upgrade to version 1.0.5, or higher, to address this vulnerability.