http://www.php.net/archive/2012.php#id2012-05-03-1
Apparently there’s a serious (remote-access) security hole in certain PHP setups that’s gone unnoticed for over 8 years. According to SMF, the patch isn’t complete yet either. Full explanation and easy way to test if your site is vulnerable is all there at php.net.