PHP Deserialization of Untrusted Data Vulnerability - CVE-2007-1701

PHP 4 before 4.4.5 and PHP 5 before 5.2.1 when register_globals is enabled allows context-dependent attackers to execute arbitrary code via deserialization of session data which overwrites arbitrary global variables as demonstrated by calling session_decode on a string beginning with quot_SESSIONs:39:quot.