The transparent session ID feature in the php4 package does not properly escape user-supplied input before inserting it into the generated HTML page. An attacker could use this vulnerability to execute embedded scripts within the context of the generated page.
For the stable distribution (woody) this problem has been fixed in version 4:4.1.2-6woody3.
For the unstable distribution (sid) this problem will be fixed soon. Refer to Debian bug #200736.
We recommend that you update your php4 package.
MD5 checksums of the listed files are available in the original advisory.