EUVD-2007-1695
PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when registerglobals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling sessiondecode on a string beginning with...