Versions of PHP before 4.2.0 have been discovered to have allow an attacker to break into and run code on the server using multipart/form-data POST requests, often used to support file uploads

The bugs are in versions between 3.10 to 4.1.1, and are a mixture of broken boundary checks and heap overflows, with a some being easily exploitable

There are exploitable bugs on most platforms, including Linux, Solaris, x86 and BSD variants (which I assume includes Mac OS X). The greatest number of bugs affect Linux and Solaris.

The recommended fix is to upgrade to version 4.1.2

More info at CERT®

An earlier version of this article unforgivably broke the rights of Stefan Esser, for which I deeply apologise