A vulnerability in PHP, when configured to run using CGI, allows an attacker to disclose the source code of PHP files and potentially execute arbitrary code. This occurs when a query string lacks an unescaped ‘=’ character, causing PHP to output the file contents directly.
Upgrade to the latest stable version of PHP or use Apache’s mod_rewrite module with RewriteCond and RewriteRule directives to filter out malicious requests.