PHP 4.2.0 and 4.2.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP POST request with certain arguments in a multipart/form-data form, which generates an error condition that is not properly handled and causes improper memory to be freed.
http://www.kb.cert.org/vuls/id/929115
http://www.iss.net/security_center/static/9635.php
http://www.cert.org/advisories/CA-2002-21.html