As described in this article, PHP has a bug for CGI installations where a simple query string parameter might be enough to get full access to the server.
No server right now should be using CGI as installation, but if you are unsure if your server has a CGI installation is pretty simple to verify. Simply create a info.php page where it contents will be:
and load it from the server. If on the Apache section of the PHP Info shows mod_cgi, you should be looking for a better installation or some good security and contingency plan until the path for this bug is released.
As a rule of thumb no server should be using CGI as installation. From all PHP installations formats, CGI is by far the worst on performance.