Security expert Andreas Bogk warns that the session IDs of users logged into PHP implementations remain guessable. Open source webmail provider Roundcube was patched against a vulnerability that could be trivially exploited to run code on servers or access email accounts. Researchers urge developers to ban PHP SuperGlobal variables in applications. These variables are wide open to remote code execution, remote file inclusion and security bypasses. A flaw in the EMV protocol lays out the rules for chip-and-PIN card transactions at ATMs and point-of-sale terminals could enable persistent attackers to carry out bogus card transactions.
Source: https://threatpost.com/php-session-ids-can-be-guessed-033010/73759/