According to this release, if you have a PHP version older than PHP 4.3.2RC1, you might be at risk for an attack from the GET string.

For a vulnerable web site, the following URL may lead to the generation of a web page containing the script included at the end: http://www.somesite.example/index.php?PHPSESSID="><script>...</script>. The page generated by PHP will include anchor tags that look like this: <a href="...?PHPSESSID="><script>.... Note that the attacker closes the anchor tag prematurely before including the script tag.

Basically, it's a cross-site scripting tactic that a nefarious user out there might abuse to get information out of your site. The main solution is to use the transparent SID that PHP already supports, or you can fix the session hander yourself and recompile PHP after the change. For more details, see this security release.

Thanks to Codewalkers.com for the pointer.