Hardened-PHP Project Security Advisory - Since PHP5 a user supplied session ID is sent back to the user within a Set-Cookie HTTP header. Because there were no checks performed on the validity of this session id, it was possible to inject arbitrary HTTP headers into the response body of applications using PHP's builtin session functionality by supplying a special crafted session id. Versions 5.1.1 and below are affected. PHP4 is not affected.
4971bbe2e06b48a7908ab9d7d47baf826e68790f86a6405adda7b5e886c9d6e9