A vulnerability in PHP, when run using CGI, allows arbitrary code execution by exploiting the lack of an unescaped ‘=’ character in query strings. This enables an attacker to execute operating system commands on the web server and return the results to the user’s browser.
Upgrade to the latest stable version of PHP or use Apache with mod_rewrite to filter out malicious requests using RewriteCond and RewriteRule directives.