I want to tell that pretty nasty bug was discovered in PHP (all tested
versions were vulnerable). I do not want to disclose much details as it may
hurt many websites. I expect PHP team to make patch first.
There is simple way to protect yourself against this bug if you put some code
in beginning of every source code looking for weird ASCII bytes before any
other code. Make some kind of "white-list" for characters you allow and deny
More details to come when we have PHP patches distributed with major
distributions. I might disclose details before to some IDS vendor or other