PHP versions 5.3.2 and below utilize a cryptographically weak random number generator to produce session ID information. Additionally, not enough entropy is used for the initial seeding of the RNG, and some of the entropy can leak by careless use of the uniqid() PHP function. Under certain circumstances, these individual weaknesses interact and reduce the number of possible values of a PHP session ID so much that exhaustive search for a valid session ID against the web server becomes feasible.
8c84b573c1249141276869a59ae2230ce6a6572c58b5967a58370265274695f6