When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.
An example of the -s command, allowing an attacker to view the source code of index.php is below: http://localhost/index.php?-s
Ouch. According to the PHP website, this has been around for the last eight years.
PHP has released versions PHP 5.3.12 and PHP 5.4.2, as well as an official mod_rewrite based workaround: