The vulnerability is caused due to an error in the handling of an uninitialized structure inside the "glob()" function. This can be exploited to execute arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed.
The vulnerability is confirmed in the 5.2.3 win32 installer. Other versions may also be affected.
The issue is marked as "less critical" and can be avoided easily by only allowing trusted users the correct permissions to execute PHP code on the server.