Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to “certain characters in session names,” including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
rhn.redhat.com/errata/RHSA-2006-0736.html
secunia.com/advisories/19927
secunia.com/advisories/21050
secunia.com/advisories/22004
secunia.com/advisories/22069
secunia.com/advisories/22225
secunia.com/advisories/22440
secunia.com/advisories/22487
secunia.com/advisories/23247
securitytracker.com/id?1016306
support.avaya.com/elmodocs2/security/ASA-2006-221.htm
support.avaya.com/elmodocs2/security/ASA-2006-222.htm
www.mandriva.com/security/advisories?name=MDKSA-2006:122
www.osvdb.org/25253
www.php.net/release_5_1_3.php
www.redhat.com/support/errata/RHSA-2006-0669.html
www.redhat.com/support/errata/RHSA-2006-0682.html
www.securityfocus.com/archive/1/447866/100/0/threaded
www.securityfocus.com/bid/17843
www.turbolinux.com/security/2006/TLSA-2006-38.txt
www.ubuntu.com/usn/usn-320-1
issues.rpath.com/browse/RPL-683
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10597