PHPShell does not regenerate the Session ID upon authentication, this can potentially allow remote attackers to access parts of the application using only a valid PHPSESSID if PHP.INI setting for session.use_only_cookies=0. An existing XSS vulnerability exists in PHPShell which increases the risk if an authenticated user clicks an attacker supplied link and the attacker finds way to access or set the victims Cookie. In 'phpshell.php' line 153 we see call to PHP function session_start(); After user authentication no call to 'session_regenerate_id()' is made leaving the authenticated session id same as pre-auth session id. However, 'session.use_only_cookies=1' is default since PHP 4.3.0, so to exploit it would require that PHP.INI is set to 'session.use_only_cookies=0' on the victims system.