login.php in PCXP/TOPPE CMS allows remote attackers to bypass authentication and gain privileges by modifying the cookie to match the target userid.