Comment 9 for bug 803720

FYI, the details have been published at https://nealpoole.com/blog/2011/08/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/

Chinese hackers appear to be particularly interested in this vulnerability. I would recommend trying to release a patched version ASAP.